Azure B2C: Use Authorization Code flow (without Implicit flow) gives error

[vtrphan]

Your question

I'm trying to use Azure B2C Authorization Code flow with OAuth 2.0 and i got the access token / id token v2.0. After that NextAuth tries to use this access token v2.0 against the Graph endpoint at : https://graph.microsoft.com/oidc/userinfo in order to fetch the user profile.
The problem is that this endpoint expect to see a claim called 'x5t' in the token, which is only available in v1.0. In v2.0 tokens there is no x5t claim, so the request fails and NextAuth returns with an error.

I can't skip this step to fetch the user profile. If i remove the profileUrl from the Provider configurations , NextAuth will just return an INVALID ARG error.

I know that this seems to be a problem from Microsoft itself, but how can i skip this profile fetching step from NextAuth, so that the error doesn't occur?

This part of the code from NextAuth that fetch the user profile:

async function getOAuth2 (provider, accessToken, results) {
  let url = provider.profileUrl
  const headers = { ...provider.headers }

  if (this._useAuthorizationHeaderForGET) {
    headers.Authorization = this.buildAuthHeader(accessToken)

    // Mail.ru & vk.com require 'access_token' as URL request parameter
    if (['mailru', 'vk'].includes(provider.id)) {
      const safeAccessTokenURL = new URL(url)
      safeAccessTokenURL.searchParams.append('access_token', accessToken)
      url = safeAccessTokenURL.href
    }

    // This line is required for Twitch
    if (provider.id === 'twitch') {
      headers['Client-ID'] = provider.clientId
    }
    accessToken = null
  }

  if (provider.id === 'bungie') {
    url = prepareProfileUrl({ provider, url, results })
  }

  return new Promise((resolve, reject) => {
    this._request('GET', url, headers, null, accessToken, (error, profileData) => {
      if (error) {
        return reject(error)
      }
      resolve(profileData)
    })
  })
}

What are you trying to do

I'm trying to authenticate with Azure B2C using Authorization Code flow with OAuth 2.0

Reproduction

Feedback
Documentation refers to searching through online documentation, code comments and issue history. The example project refers to next-auth-example.

• Found the documentation helpful
• Found documentation but was incomplete
• Could not find relevant documentation
• Found the example project helpful
• Did not find the example project helpful

[erhankaradeniz]

I've implemented the azure-ad-b2c login and did not face this issue, I think you might be doing something wrong. Could you share your code?

[aayushbisen]

Hi @erhankaradeniz is there any public repo of the implementation you made? I am trying with the latest beta and it gives JWT not active error.