Trouble with Azure b2c non-standard authorize user flow endpoint...

[ghost]

Hello,

My english is a but rusty, I hope it will be understandable:

Microsoft have implemented user flow, like changing password, over the authorise endpoint. Maybe it's a brillant idea but It's a bit of a pain to use and also doesnt play way with metadata configuration.

So I have such endpoint for password change (that would be triggered from a link inside the web app) that looks like this: https://sometenant.b2clogin.com/sometenant.onmicrosoft.com/B2C_1_passwordReset/oauth2/v2.0/authorize

mod auth openidc only know the autorize in metadata that looks like this (also a custom flow):
https://sometenant.b2clogin.com/sometenant.onmicrosoft.com/b2c_1_my_signin/oauth2/v2.0/authorize

I have trouble integrating that password change functionnality so so that it returns to app with user being logged in a similar way it's done when using the "forgot password?" from Microsoft login page.

I guess it's because modauth is not the initiator (no state and x_csrf not set).

I'm using multi provider setup so I have a link like this:

https://my-web-site.somewhere.com/protected/redirect_uri?iss=https%3A%2F%2Fsometenant.b2clogin.com%2F&&method=get&target_link_uri=https%3A%2F%2Fmy-web-site.somewhere.com%2F&x_csrf=some-csrf)

When I click on it's replaced with provider specific parameters (using metadata):

https://sometenant.b2clogin.com/sometenant.onmicrosoft.com/b2c_1_my_signin/oauth2/v2.0/authorize?response_type=id_token&scope=openid&client_id=some-client-id&state=someStatePreparedByModAuthOpenIdc&redirect_uri=https%3A%2F%2Fsome-redirect-url%2Fprotected%2Fredirect_uri&nonce=somenonce

If I copy this url manually and change "b2c_1_my_signin" tp "B2C_1_Advitam_passwordReset" I can complete the password change et then be returned to app with the new token (I see state and x_csrf are set by the module, I assure those to be opaque and I should not try to forge those).

I dont know if it's possible to do a rewrite on a outbound location header in Apache but I will look that way.

Maybe someone could see a better way to do this?

[ghost]

We have an alternative solution with Oracle Apex where the configurations (social sign-in authentication scheme) of idp have user defined identifier so it's possible to have two idp with different medatadata url having the same issuer. I'm closing as it's likely too specific to our setup and also to the use of Azure b2c.