Userinfo Endpoint 401 unauthorized
wdbprog opened this issue · 1 comments
Hi, I'm having issues implementing the Userinfo endpoint for a salesforce integration.
I've followed this documentation: https://learn.microsoft.com/en-us/azure/active-directory-b2c/userinfo-endpoint?pivots=b2c-custom-policy
And I pretty much just implemented exactly this example project:
https://github.com/azure-ad-b2c/samples/tree/master/policies/user-info-endpoint
But when I try to call the userinfo endpoint with what seems to be a correct access token I still get 401 unauthorized errors.
I added appinsight to the policy but it doesn't come up with very useful errors:
It seems to throw an error in the "client_assertion" technicalprofile:
<TechnicalProfile Id="client_assertion">
<DisplayName>client_assertion</DisplayName>
<Protocol Name="None" />
<InputTokenFormat>JWT</InputTokenFormat>
<Metadata>
<!-- Update the Issuer and Audience below -->
<!-- Audience is optional, Issuer is requried-->
<Item Key="issuer">"https://tenant.b2clogin.com/tfp/11111111-1111-1111-1111-111111111111/POLICY/v2.0/</Item>
<!-- <Item Key="audience">[ "e557471f-d91a-43fa-875a-255062dec533" ]</Item> -->
<Item Key="client_assertion_type">urn:ietf:params:oauth:client-assertion-type:jwt-bearer</Item>
</Metadata>
<CryptographicKeys>
<Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name"/>
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name"/>
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name"/>
</OutputClaims>
</TechnicalProfile>
Also; the Issuer url in the documentation says it's supposed to be:
https://yourtenant.b2clogin.com/11111111-1111-1111-1111-111111111111/v2.0/
But when checking the .well-known/openid-configuration it showed our issuer to have a different format, namely this one: https://yourtenant.b2clogin.com/tfp/11111111-1111-1111-1111-111111111111/POLICY NAME/v2.0/
So I tried both and still no luck.
Am I missing something or is there something missing in the documentation? For example the section on how to call the userinfo isn't very clear.
https://yourtenant.b2clogin.com/<>/v2.0/
Followed this article, https://medium.com/the-new-control-plane/using-the-userinfo-endpoint-in-azure-ad-b2c-41a01c4907a2
Run the custom policy in azure portal you will see the issuer in the token.
If you use the same token for the userendpoint it will work but it wont work for the tokens generated from other policy for the same user. Am I missing something here ?