Authentication Error 401 with Azure B2C

ivansubsierra · August 29, 2024, 8:44am

Hi everyone,

We’re encountering an issue with Azure B2C authentication and hoping someone here might be able to help. Despite having all configurations seemingly correct, we are getting a failure when sending the authentication code.

Here are the details of the error we're encountering:

{
    "message": "Failed to identify user for token: 942d15d931cd2961b39fca895e5cf669 deploymentId: 91bad5ae-7619-4ee9-918e-7c9c1cbdbc81",
    "code": "unauthorized",
    "status": 401,
    "contextId": "5e6acc3a-004f-497c-ae81-8020513454ab",
    "details": [],
    "errors": []
}

We have double-checked the configurations and they appear to be correct. However, we are still receiving a 401 Unauthorized error.

Has anyone experienced a similar issue or have any suggestions on how to troubleshoot this? Any help or insights would be greatly appreciated!

Thanks in advance!

vpirat · August 29, 2024, 10:10am

Hi,

I'm seeing the following error message:
invalid_grant (AADB2C90087: The provided grant has not been issued for this version of the protocol endpoint. Correlation ID: b77ef0ee-1102-4ea2-91fd-cbddafb90c57.

Make sure you are using Azure /v2 endpoints.

Hope this helps,

Regards,
V.P.

ivansubsierra · August 29, 2024, 10:35am

I'm not sure about that. In the authentication flow, we are using the /oauth2/v2.0/authorize and /oauth2/v2.0/token endpoints. However, I am checking the /.well-known/openid-configuration endpoint and the URLs don't contain the /v2.0/.

Maybe that's the problem?

{
  "issuer": "https://[tenant].b2clogin.com/xxxxxxxx/",
  "authorization_endpoint": "https://[tenant].b2clogin.com/[tenant].onmicrosoft.com/[policy]/oauth2/authorize",
  "token_endpoint": "https://[tenant].b2clogin.com/[tenant].onmicrosoft.com/[policy]/oauth2/token",
  "end_session_endpoint": "https://[tenant].b2clogin.com/[tenant].onmicrosoft.com/[policy]/oauth2/logout",
  "jwks_uri": "https://[tenant].b2clogin.com/[tenant].onmicrosoft.com/[policy]/discovery/keys",
...

vpirat · August 29, 2024, 12:14pm

Hi,

Yes, could be indeed. How did you get the endpoints ?
As far as I know, endpoints are given by Microsoft portal.
You can check them for your application.

But I'm not that familiar with policies, so can't guarantee you that it applies in the same way.

What I can tell is:

This error code is listed but not documented in MS docs.
See Error code reference - Azure AD B2C | Microsoft Learn
Check the consistency between /authorize url in Messenger auth code and what is in the discovery document.
Nonce parameter is setup. Make sure this setting is consistent everywhere also.
I would advise you to test manually first using http requests to reproduce the issue by following
this article.
Raise the question to MS team: Find help and open a support ticket for Azure Active Directory B2C - Azure AD B2C | Microsoft Learn

Hope this helps,

Regards,
V.P.

ivansubsierra · August 30, 2024, 11:25am

Thanks! Now, work in my local web environment. But I'm trying to use it in a React Native app and still happening the same unauthorized error.

The B2C sign-in URL has the same parameters in both, except for redirect_uri, which is normal.

{
  "message": "Failed to identify user for token: dd6e8e32f80c1a99d50a25cf55b0ca3f deploymentId: 91bad5ae-7619-4ee9-918e-7c9c1cbdbc81",
  "code": "unauthorized",
  "status": 401,
  "contextId": "322576db-4181-4c5d-bfdf-593f5b48a985",
  "details": [],
  "errors": []
}```

vpirat · August 30, 2024, 1:18pm

Hi,

I can see a different error now:
invalid_request (AADB2C90084: Public clients should not send a client_secret when redeeming a publicly acquired grant. Correlation ID: b08e1dd4-8884-4101-9fd1-f5985ad0dcac Timestamp: 2024-08-30 11:15:29Z )
The type of app created on Azure side should not be public but private (ie. with a secret configured).
Googling on the error code should point you in the right direction, I think.
Ex: b2c-user-flows error AADB2C90084: Public clients should not send a client_secret · Issue #5808 · AzureAD/microsoft-authentication-library-for-js · GitHub

Hope this helps,

Regards,
V.P.

ivansubsierra · August 30, 2024, 1:52pm

Thanks,

I will check it on Google.

It's a bit weird because we use the authorize flow inside a WebView and then we use the code to get the common token request without using client_secret. And the first code after login works when I use it in a normal web flow but fails on app the app flow.

Let me know if you need any further assistance!

Regards,
Ivan

vpirat · September 2, 2024, 7:49am

Hi,

This is likely the issue. Genesys OpenID integration always sets the secret when exchanging the code (ie. when invoking the /token endpoint).
Currently, public clients are not supported. You have to use a client secret.

Hope this helps,

Regards,
V.P.

ivansubsierra · September 2, 2024, 8:01am

Thanks for the clarification.

So one possible solution would be to create a website with private authentication flow and use it as a bridge between the mobile app, B2C, and Genesys.

Regards,
Ivan.

vpirat · September 2, 2024, 8:45am

That could be an option.
Keep in mind that troubleshooting authentication with "more layers" could be a challenge.
Feel free also to open a feature request if you think that supporting public client (ie. authentication without secret) is required for your use case.
Nobody asked for that so far.

Regards;
V.P.

system · October 3, 2024, 8:46am

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.