Azure AD B2C returns AADSTS70000 error on token request

Question

I have a web API attempting to get set of access and refresh tokens for a B2C user. User sign-in is done through a configured "Social identity provider".

The API receives authorization code. When exchanging code for the tokens, Azure AD B2C tenant's endpoint endpoint returns invalid_grant error.

I have looked at the other answers I've found on the site. The issue still remains. Pointers are much appreciated.

Details as follows.

Sign-up and sign-in profiles issue claims for

Given name
Emails
Identity provider
Object ID

Error from token endpoint:

{
    "error": "invalid_grant",
    "error_description": "AADSTS70000: Transmission data parser failure: Authorization Code is malformed or invalid. [...]",
    "error_codes": [
        70000
    ],
    [...]
}

Authorization request looks as follows:

AUTHORIZATION_ENDPOINT = 'https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize'

authorization_url = f'{AUTHORIZATION_ENDPOINT}' \
    f'?client_id={CLIENT_ID}' \
    f'&response_type=code' \
    f'&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fcode' \
    f'&scope=openid offline_access' \
    f'&nonce=hellobob' \
    f'&p=B2C_1_<profile>'

Upon user authorization, authorization code is POSTed by API to token endpoint. Payload is represented as a Python dictionary.

TOKEN_ENDPOINT = 'https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token'
payload = {
    'p': 'B2C_1_<profile>',
    'client_id': CLIENT_ID,
    'client_secret': CLIENT_SECRET,
    'code': code,
    'grant_type': 'authorization_code',
    'redirect_uri': 'http://localhost:8000/code',
    'scope': 'openid offline_access'
}

response = requests.post(TOKEN_ENDPOINT, data=payload)

Daniel Dobalian Daniel Dobalian · Accepted Answer · 2017-10-18T17:54:43

This error generally means the auth code you've gotten is not meant for tokens on the specified endpoint. This can happen from misconfiguring the auth endpoints, registering the app in the wrong spot, or a malformed request. One thing to callout is most B2C errors are in the form of aadb2cxxxxx rather than the traditional Azure AD error format of aadstsxxxxx.

First thing to check with this error is your auth endpoints. From the snippets above, both look good.

Next thing is to make sure you're using the correct library to obtain the authorization code. You haven't shown the code on your client, but if it's using the ADAL library or v1.0 endpoints, your auth code will not be redeemable on the /v2.0/ endpoints.

I've also seen this happen when an app is registered in the incorrect blade within the Azure Portal. Make sure you registered an Azure AD B2C application rather than a plain Azure AD app.

If you've done this, I recommend trying 2 things:

Use a test B2C application from one of the code samples rather than your app registration and see if it works. If it does, you know you have a registration issue. This registration guide may help diagnose.
Do the request by hand using your app registration (rather than in code). This will help you understand if it's a code issue. Construct the request and use Curl or Postman, then exchange the code. The easy alternative is to plug in your configs into a sample.

Azure AD B2C returns AADSTS70000 error on token request

2 Answers