Azure AD B2C Return with AADB2C90289 Status : ClientError #104
Comments
|
I sent an email to Microsoft team and they responded this morning, they
asked me to check if the client secret is generated correctly. They gave me
one node script to generate token, I did but still no luck. Waiting for
their response again. If I find anything I will let you know.
…On Fri, Aug 21, 2020 at 2:23 AM J ***@***.***> wrote:
I get the same exact error and have been playing with this for the last
two weeks trying to get it to work.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#104 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADD7UTPCSTNBPCVEELZWCQ3SBW46NANCNFSM4QF57SJQ>
.
--
Thanks & Regards,
Deepak Dosaya
|
|
99% this is incorrect secret being provided to AAD B2C. If you provide a correlation id, we can check. |
|
Activity
Date : 2020-08-21T07:33:39.3764797 <+91393764797>+00:00
Name : Federate with an identity provider
CorrelationId : 65172324-7 <+91651723247>d5e-4f2f-93c7-7a323ebaef75
Category : B2C
Activity Status
Status : ClientError
Reason : We encountered an error connecting to the identity provider.
Please try again later.
…On Sat, 22 Aug, 2020, 09:34 Jas Suri, ***@***.***> wrote:
99% this is incorrect secret being provided to AAD B2C. If you provide a
correlation id, we can check.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#104 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADD7UTOVZU5RT5VWSXK5AJ3SB5YKBANCNFSM4QF57SJQ>
.
|
|
I had the same issue and was fighting with this for two weeks getting frustrated. I figured out the solution to this though, at least for what was happening with me. There's a flaw in the documentation screenshot for the Secret Key Generation where they show the appleServiceId value as being "com.yourcompany.app1" however, this is incorrect. You should be putting the actual Service Identifier, so in their example's case it's "com.your-company.b2cservice1". Additionally, I mistakenly took my Token Key ID and used that as the Team ID (which is on one of the main screens in the Apple Developer site), which also caused the issue. Once I fixed that the service worked for me, albeit partially. For some reason, their callback URL doesn't capture the First Name, Last Name, Email ID of the user (and that's only sent the first time they successfully log in). I basically just get their Unique NameIdentifier which is just a large random string of numbers and letters. Maybe someone can figure out how to get that working better? I believe Firebase Auth captures this info. |
|
Yes, you are right. I am able to fix this issue and it was because of
Client_Secret was wrong. I used the node script again by filling required
data in that script like Team ID, Service ID and Key ID to generate token,
that it started working.
But now I have another issue that when it redirects back from apple then I
see another window of Microsoft to provide email id again and token
validation:
[image: image.png]
Url is : tenant.onmicrosoft.com/oauth2/authresp
…On Sat, Aug 22, 2020 at 7:56 PM rcnjstudent ***@***.***> wrote:
I had the same issue and was fighting with this for two weeks getting
frustrated. I figured out the solution to this though, at least for what
was happening with me. There's a flaw in the documentation screenshot for
the Secret Key Generation where they show the appleServiceId value as being
"com.yourcompany.app1" however, this is incorrect. You should be putting
the actual Service Identifier, so in their example's case it's
"com.your-company.b2cservice1". Additionally, I mistakenly took my Token
Key ID and used that as the Team ID (which is on one of the main screens in
the Apple Developer site), which also caused the issue.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#104 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADD7UTNQMJTKRFMR422WPY3SCABFPANCNFSM4QF57SJQ>
.
--
Thanks & Regards,
Deepak Dosaya
|
|
For some reason, your image didn't come through. Can you try reposting it again? |
|
|
|
Oh, yeah so for some reason their oAuth resp does not parse out the supplied email address (even if they choose to hide their real address and use their anonymized relay address instead), First Name or Last Name from the Apple callback. I do believe it'll do this for other oAuth providers like Google/Facebook. I don't know why it doesn't do this for Apple, it seems like a pretty straightforward thing to do. This means that you would have to request their email address, first and last names separately through this form, which I think could possibly violate the terms of Sign in With Apple's privacy. |
|
Exactly, I do see apple returns display name back but I do not see email address and given_name. Anyone else is facing the same issue? |
|
This person's ASP.net Core project pulls back all the info in the response, but they're not using B2C, they're using their own authentication program they created: To anyone reading this who's more of an advanced developer-is there a way to do what he did on his callback process with B2C somehow? |
|
If anyone can share a sample of the token received back from Apple, i can determine how to get the other fields out of it. |
|
I think the response looks like this "state": "xxx",
"code": "yyy",
"id_token": "zzz",
"user": {
"name": {
"firstName":"John",
"lastName":"Doe"
},
"email":"example@privaterelay.appleid.com"
}
}Since the email and name is not returned in the actual token, we don't have the ability to parse it. |
|
This is the token data, which I received from apple. I have set return url
to https://jwt.ms/ so that it can decode and show you:
{
"typ": "JWT", "alg": "RS256", "kid":
"X5eXk4xyojNFum1kl2Ytv8dlNP4-c57dO6QGTVBwaNk" }.{ "exp": xx, "nbf": xx,
"ver": "1.0", "iss": "https://{tenant}.b2clogin.com/xxxx/v2.0/", "sub": "
xxxx-xx-xx-xx-xx", "aud": "xx-xx-xx-xx-xx", "nonce": "defaultNonce", "iat":
xx, "auth_time": xx, "idp": "https://appleid.apple.com", "oid": "xx-xx
-437f-b210-xx", "newUser": true, "emails": [ "testnl@gmail.com" ], "tfp":
"B2C_1_Apple" }.[Signature]
…On Tue, Aug 25, 2020 at 11:43 AM Jas Suri ***@***.***> wrote:
I think the response looks like this
"state": "xxx",
"code": "yyy",
"id_token": "zzz",
"user": {
"name": {
"firstName":"John",
"lastName":"Doe"
},
***@***.***"
}
}
Since the name is not returned in the actual token, we don't have the
ability to parse it.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#104 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADD7UTKFCHHUKZBRLX7LCGTSCOBVTANCNFSM4QF57SJQ>
.
--
Thanks & Regards,
Deepak Dosaya
|
|
Thats a token from B2C, not from Apple |
That's not exactly true - Apple does send the full information back in a Token the first time the user logs in, which you need to decode . Here's a quick example I found for decoding what Apple generally signs back: https://sarunw.com/posts/sign-in-with-apple-3/#what-to-validate Firebase Auth is able to parse this information out for me automatically, why can't B2C? |
|
We can parse the claims in the token {
"iss": "https://appleid.apple.com",
"aud": "com.sarunw.siwa",
"exp": 1577943613,
"iat": 1577943013,
"sub": "xxx.yyy.zzz",
"nonce": "nounce",
"c_hash": "xxxx",
"email": "xxxx@privaterelay.appleid.com",
"email_verified": "true",
"is_private_email": "true",
"auth_time": 1577943013
}Then Apple send other information outside the token. |
|
@deepakdosaya - if not solved already, make sure your token (client secret) contains the kid + alg in the headers. Otherwise you get this error because https://appleid.apple.com/auth/token rejects the call with error invalid_client. Good read can be found here https://fluffy.es/how-to-solve-invalid_client-error-in-sign-in-with-apple/ |
|
I see all of sudden Microsoft started reading email address from apple
response and I see it is pre filled.
…On Fri, Sep 25, 2020 at 4:18 PM Christer Ljung ***@***.***> wrote:
@deepakdosaya <https://github.com/deepakdosaya> - if not solved already,
make sure your token (client secret) contains the kid + alg in the headers.
Otherwise you get this error because https://appleid.apple.com/auth/token
rejects the call with error invalid_client. Good read can be found here
https://fluffy.es/how-to-solve-invalid_client-error-in-sign-in-with-apple/
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#104 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADD7UTIW2L4TD367JOG7JDDSHSRBJANCNFSM4QF57SJQ>
.
--
Thanks & Regards,
Deepak Dosaya
|
|
We are getting the same error but not reliably. We can't reproduce it but the store reviewers get the error. Could a client secret issue cause login issues some but not all of the time? |
|
You should open a support case with Microsoft, especially when you have an intermittent issue. |
|
AADB2C90289: We encountered an error connecting to the identity provider. Please try again later. Can you please check, what we are doing wrong against this correlation ID |
|
A bad request is made to |
Error parsing JWT: The parsed JWT indicates it was signed with the HS256 signature algorithm. This is the error we got from the identity provider. We have mentioned in metadata to sign token token_signing_algorithm as RS512 can you please help |
|
deepakdosaya could you please help with this issue ? |
We area having the same issue when Apple is reviewing our app. It has worked has expected until now. We have made no changes but they can not sign in. Any solution for this? |
|
We saw this happening when a user was using a VPN. Without the VPN, login worked normally. Immediately after re-enabling VPN, the problem resurfaced. We managed to get full B2C logs of this, so I filed a support ticket. |
|
We are having the same problem with an already running service. We have 10K users signed in with Apple, and no changes to the code ever since. |
Apple rotate keys every 6 months, possible the key expired.
Usually this happens if the key you setup in B2C Policy Keys is a symmetric key, instead of an asymmetric key. |
The documentation says Azure automatically renews the client secret... The "Renew secret" button also didn't work. I registered a new key on the Apple developer website, However, for accounts that failed to sign up due to the key expiry, the private email address is not included in the API connector request after key renewal, even after deleting the corresponding user in the Azure portal. For these accounts, users must click the "Stop using Sign in with Apple" button in their Apple ID account settings. |
I faced the same issue, your clue helped a lot. I added the correct appleServiceId to Function App which generates a token and it worked. |
Thanks for the blog, it helped me a lot to setup Sign in Apple for my mobile app. But unfortunetly I am not getting error while coming back from Apple to Azure return url
Reason : We encountered an error connecting to the identity provider. Please try again later.
Name : Federate with an identity provider
CorrelationId : 8560c0b8-28db-4423-bfaa-7e86f8d47035
Category : B2C
Activity Status
Status : ClientError
Reason : We encountered an error connecting to the identity provider. Please try again later.
Any clue what is going wrong.
Thanks in advance
Deepak
The text was updated successfully, but these errors were encountered: