How to configure token name received from OP?

[rockraft7]

How to configure token name received from OP? I'm using Azure B2C, and they returning id_token instead of access_token.

From the logs I saw this line:

oidc_proto_validate_code_response: requested flow is "code id_token" but no "access_token" parameter found in the code response,

This is response from OP /token endpoint:

{ "not_before":"1474599671", "token_type":"Bearer", **"id_token":"eyJ0eXAiOiJ...",** "id_token_expires_in":"3600", "profile_info":"eyJ2ZXIiOiIx...", "refresh_token":"eyJraWQiOiJj...", "refresh_token_expires_in":"1209600" }

Apparently Azure team changed something because from their guide specifically mentioned access_token instead of id_token.

https://azure.microsoft.com/en-gb/documentation/articles/active-directory-b2c-reference-oidc/#send-authentication-requests

Thank you

[zandbelt]

It may be that you're sending a different authentication request than documented. Can you show the part of the (debug) server log where it says:

oidc_proto_authorization_request: adding outgoing header: Location...

But as you mention: since the requested flow is code id_token and the id_token is returned already in the front-channel, the code must be used to obtain an access_token, not a second id_token.

If that is not the case then Azure B2C is not OpenID Connect compliant and that side should be fixed. But let's make sure that the authentication request is indeed a compliant OpenID Connect request and conforms to the settings that MS had documented wrt. response_mode and the proprietary p parameter; the latter can be added according to: https://github.com/pingidentity/mod_auth_openidc/wiki#13-how-can-i-add-custom-parameters-to-the-authorization-request)

[rockraft7]

Thanks for quick response. Here is the outgoing header sent by the mod:

oidc_proto_authorization_request: adding outgoing header: Location: https://login.microsoftonline.com/test.onmicrosoft.com/oauth2/v2.0/authorize?p=b2c_1_apache_signin&response_type=code%20id_token&scope=openid%20offline_access&client_id=7dd4e373-1234-123b-b123-a944abab250b&state=ZBPcwV0PmnpTYSGAlUk4_pEB4u0&redirect_uri=https%3A%2F%2Flocalhost%2Ftest%2Flogin&nonce=95qitvDS1za2_nZNxiCBEu1wafa7ExnRh0_DVH71IDw&response_mode=form_post

[zandbelt]

That seems like a perfectly valid OIDC request to me and follows what is documented on that Azure B2C page. You'll have to talk to MS to find out why the behavior is different from what is documented. If you could report your findings here that would be great and I'll leave the ticket open for that.

[zandbelt]

Looking at the response some more, it seems totally off: there's a token_type of Bearer, and an *expires_in value (detached from the token itself) and a refresh_token; those are all access_token related values that don't apply to an id_token. So it looks like they've just swapped the token name by accident and what you're receiving is really an access_token. But as said, you should really take it up with MS.

[zandbelt]

I'm closing it here. If you have any followup from MS, feel free to add it to the ticket.