Azure B2C via windows.net works, using B2C "user flow" via b2clogin.com does not work

[PrismaComputer]

Hello,

we have a mysterious problem. Using openidc with Azure B2C, via windows.net, works.
But using a B2C "user flow" via b2clogin.com does not work. From apache Log:

requested flow is "code" but no "access_token" parameter found in the code response

But I double-checked, that flow "B2C_1_login_register_email" contains the application claim "Identity Provider Access Token = The access_token returned by the OAuth identity provider"

What else could be the problem? Does Anybody have experience with Azure User Flows?

Works:
OIDCProviderMetadataURL https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx/.well-known/openid-configuration

Does not Work:
OIDCProviderMetadataURL https://contoso.b2clogin.com/contoso.com/v2.0/.well-known/openid-configuration?p=B2C_1_login_register_email

Here's the output.

Works:

{ "token_endpoint": "https://login.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/token", "token_endpoint_auth_methods_supported": [ "client_secret_post", "private_key_jwt", "client_secret_basic" ], "jwks_uri": "https://login.windows.net/common/discovery/keys", "response_modes_supported": [ "query", "fragment", "form_post" ], "subject_types_supported": [ "pairwise" ], "id_token_signing_alg_values_supported": [ "RS256" ], "response_types_supported": [ "code", "id_token", "code id_token", "token id_token", "token" ], "scopes_supported": [ "openid" ], "issuer": "https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/", "microsoft_multi_refresh_token": true, "authorization_endpoint": "https://login.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/authorize", "device_authorization_endpoint": "https://login.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/devicecode", "http_logout_supported": true, "frontchannel_logout_supported": true, "end_session_endpoint": "https://login.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/logout", "claims_supported": [ "sub", "iss", "cloud_instance_name", "cloud_instance_host_name", "cloud_graph_host_name", "msgraph_host", "aud", "exp", "iat", "auth_time", "acr", "amr", "nonce", "email", "given_name", "family_name", "nickname" ], "check_session_iframe": "https://login.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/checksession", "userinfo_endpoint": "https://login.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/openid/userinfo", "kerberos_endpoint": "https://login.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/kerberos", "tenant_region_scope": "EU", "cloud_instance_name": "microsoftonline.com", "cloud_graph_host_name": "graph.windows.net", "msgraph_host": "graph.microsoft.com", "rbac_url": "https://pas.windows.net" }

Does not work:
{ "issuer": "https://contoso.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0/", "authorization_endpoint": "https://contoso.b2clogin.com/contoso.com/oauth2/v2.0/authorize?p=b2c_1_login_register_email", "token_endpoint": "https://contoso.b2clogin.com/contoso.com/oauth2/v2.0/token?p=b2c_1_login_register_email", "end_session_endpoint": "https://contoso.b2clogin.com/contoso.com/oauth2/v2.0/logout?p=b2c_1_login_register_email", "jwks_uri": "https://contoso.b2clogin.com/contoso.com/discovery/v2.0/keys?p=b2c_1_login_register_email", "response_modes_supported": [ "query", "fragment", "form_post" ], "response_types_supported": [ "code", "code id_token", "code token", "code id_token token", "id_token", "id_token token", "token", "token id_token" ], "scopes_supported": [ "openid" ], "subject_types_supported": [ "pairwise" ], "id_token_signing_alg_values_supported": [ "RS256" ], "token_endpoint_auth_methods_supported": [ "client_secret_post", "client_secret_basic" ], "claims_supported": [ "idp", "idp_access_token", "sub", "tfp", "iss", "iat", "exp", "aud", "acr", "nonce", "auth_time" ] }

[zandbelt]

the error means that when exchanging the authorization code at the token endpoint for an id_token and access token -as the standard OIDC flow prescribes - there was no access token returned as part of the response from the IDP; this usually indicates an issue witht the client's configuration issue at the IDP; it is an IDP question anyhow

[PrismaComputer]

Hello, thanks for the answer. Yes, I agree, sounds like a IDP related problem. Maybe just some missing configuration in the "user flow", maybe some misbehaviour or just different behaviour between Azure windows.net and Azure b2clogin.com flow on IdP's side, which needs further configuration on one or more sides. But both, windows.net and b2clogin.com flows are set up out-of-the-box. One works the other does not.

Therefore, I asked if somebody has experience using Azure b2clogin.com "user flow" and could point me to the important difference between both kind of flows. I wasn't able to find any documentation regarding Azure b2clogin.com "user flows" with mod_auth_openidc. Only the "normal" MSOL login flow via window.net is documented. But that's not the problem, this flow works out-of-the-box.