Azure AD B2C breaks OIDC spec

Question

I've configured a custom policy with AAD B2C IEF per this link and am now trying to integrate it into API Gateway as a JWT authorizer per this link.

However, attempting to configure the authorizer throws an error

error updating API Gateway v2 authorizer
BadRequestException
Caught exception when connecting to https://tenant-domain.b2clogin.com/tenant-id-here/v2.0/.well-known/openid-configuration for issuer https://tenant-domain.b2clogin.com/tenant-id-here/v2.0/.
Please try again later.
Error:
Invalid issuer:
https://tenant-domain.b2clogin.com/tenant-id-here/v2.0/.
Issuer must have a valid discovery endpoint ended with '/.well-known/openid-configuration

The actual discovery endpoint is https://tenant-domain.b2clogin.com/tenant-domain.onmicrosoft.com/b2c_1a_signup_signin/v2.0/.well-known/openid-configuration, however, that returns a doc as below, which has a different issuer than the discovery URL.

{
  "issuer": "https://tenant-domain.b2clogin.com/tenant-id-here/v2.0/",
  "authorization_endpoint": "https://tenant-domain.b2clogin.com/tenant-domain.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/authorize",
  "token_endpoint": "https://tenant-domain.b2clogin.com/tenant-domain.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/token",
  "end_session_endpoint": "https://tenant-domain.b2clogin.com/tenant-domain.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/logout",
  "jwks_uri": "https://tenant-domain.b2clogin.com/tenant-domain.onmicrosoft.com/b2c_1a_signup_signin/discovery/v2.0/keys",
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "response_types_supported": [
    "code",
    "code id_token",
    "code token",
    "code id_token token",
    "id_token",
    "id_token token",
    "token",
    "token id_token"
  ],
  "scopes_supported": [
    "openid"
  ],
  "subject_types_supported": [
    "pairwise"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ],
  "claims_supported": [
    "name",
    "given_name",
    "family_name",
    "email",
    "sub",
    "tid",
    "iss",
    "iat",
    "exp",
    "aud",
    "acr",
    "nonce",
    "auth_time"
  ]
}

Looking at this issue and the spec, it looks like AAD is not spec compliant.

Is there any way to get this to work or do I have to move to a spec-compliant OIDC provider?

Answer 1

Please try to configure issuer URL including tfp for token compatibility.

For more details see: Token compatibility which says:

Note : iss claim i.e; issuer identifies tenant of azure ad b2c that issued the token. Usually the value is some thing like this :https://<domain>/{B2C tenant GUID}/v2.0/

But If your application or library needs Azure AD B2C to be compliant with the OpenID Connect Discovery 1.0 spec, use this https://<domain>/tfp/{B2C tenant GUID}/{Policy ID}/v2.0/ as it includes IDs for both the Azure AD B2C tenant and the user flow that was used in the token request.

For example:

“issuer” : “https://your-tenant-name.b2clogin.com/tfp/c5b2xxxxxxxxx0-8axxxxxx3d3b/B2C_1A_signin/v2.0/”

or

https://{tenantID}.b2clogin.com/tfp/{tenantID}/{policy-name}/v2.0/

References:

1. Configure the Azure Active Directory B2C provider manually - Power Apps | Microsoft Docs
2. AzureAD Authentication with AWS API Gateway v2 JWT Authorizers | rayterrill.com