Issue with Azure AD B2C oauth/OpenIdConnect

Question

I have an odd issue with azure authentication. It works in one scenario (logging in with an angular app using adal) but not in an other (loading the asp.net web api up and logging in via the swagger ui authorise mechanism). I have narrowed it down to a post to the:

https://login.microsoftonline.com/te/{tenantid}/oauth2/authresp

endpoint which rather unhelpfully returns:

302

<html>
 <head>
  <title>Object moved</title></head>
  <body>
   <h2>Object moved to <a href="http://localhost:49919/swagger/ui/oauth2redirect-html#error=server_error&amp;error_description=AADB2C%3a+An+exception+has+occured.%0d%0aCorrelation+ID%3a+1816d2f8-aa74-4433-a7c0-d9c8fabebdb0%0d%0aTimestamp%3a+2017-10-27+13%3a46%3a08Z%0d%0a&amp;state={ommitted}">here</a>.</h2>
</body>
</html>

Basically telling me an exception has occurred.

error_description = AADB2C An exception has occured.

CorrelationID = 1816d2f8-aa74-4433-a7c0-d9c8fabebdb0

Timestamp = 2017-10-27 13:46:08

The angular app, does exactly the same post but that however returns a link with the token id:

302

<html>
  <head>
   <title>Object moved</title>
  </head>
  <body>
   <h2>Object moved to <a href="http://localhost:4200/#state={state -
   ommitted}&amp;id_token={id token - omitted}">here</a>.
    </h2>
   </body>
 </html>

I can't see any differences in the posts. This one does not work (initiated from swagger ui on web api project)

POST https://login.microsoftonline.com/te/{tenant - omitted}/oauth2/authresp HTTP/1.1
Host: login.microsoftonline.com
Connection: keep-alive
Content-Length: 1595
Cache-Control: max-age=0
Origin: https://login.microsoftonline.com
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
DNT: 1
Referer: https://login.microsoftonline.com/{tenant - omitted}/oauth2/authorize?client_id={clientid - omitted}&redirect_uri=https:%2f%2flogin.microsoftonline.com%2fte%2f{tenant - omitted}%2foauth2%2fauthresp&response_type=id_token&response_mode=form_post&nonce={nonce}&state=StateProperties
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,de-CH;q=0.8,de;q=0.7,fr-CH;q=0.6,fr;q=0.5,it-CH;q=0.4,it;q=0.3
Cookie: {cookie - omitted}=; x-ms-gateway-slice=005; stsservicecookie=cpim_te

id_token={omitted}

But this post does:

POST https://login.microsoftonline.com/te/{tenant - omitted}/oauth2/authresp HTTP/1.1
Host: login.microsoftonline.com
Connection: keep-alive
Content-Length: 1590
Cache-Control: max-age=0
Origin: https://login.microsoftonline.com
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
DNT: 1
Referer: https://login.microsoftonline.com/{tenant - omitted}/oauth2/authorize?client_id={clientid - omitted}&redirect_uri=https:%2f%2flogin.microsoftonline.com%2fte%2f{tenant - omitted}%2foauth2%2fauthresp&response_type=id_token&response_mode=form_post&nonce={nonce}&state=StateProperties
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,de-CH;q=0.8,de;q=0.7,fr-CH;q=0.6,fr;q=0.5,it-CH;q=0.4,it;q=0.3
Cookie: {cookie - omitted}; x-ms-gateway-slice=003; stsservicecookie=cpim_te

id_token={omitted}

As the posts are pretty much identical the issue must lie somewhere in either the cookie or the id token (which I cannot supply for security reasons). Pasting the ID tokens from both requests into http://www.jwt.io gives me same information with the correct claims present in both. So I am a little stuck and hoping someone from the azure team can step in and help?

Many thanks

Answer 1

Based on the referrer in your request samples, it looks like you're not calling /v2.0/ B2C endpoint. For example, in the following request, the path should be /{tenant}/oauth2/v2.0/authorize...

https://login.microsoftonline.com/{tenant}/oauth2/authorize?client_id={clientid}&redirect_uri=https:%2f%2flogin.microsoftonline.com%2fte%2f{tenant}%2foauth2%2fauthresp&response_type=id_token&response_mode=form_post&nonce={nonce}&state=StateProperties

Due to this, you're getting unexpected behavior across both your apps. This also means that the applications you are using were not created using B2C portal (we verified this via our offline chat as well).

As of now, B2C ONLY supports applications created through the B2C portal. So, if you can kindly create an application through the B2C portal, and try again, you should have this issue resolved.