ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,731 questions
Issue with Azure AD B2C Custom Policy: "Basic credentials specified for 'REST-fetchUserProfile-APAC' are invalid
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 56.00000000000001%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERG%3C/text%3E%3C/svg%3E)
Ray Garg
20
Reputation points
Description
I am working on an Azure AD B2C custom policy for the Global Identity Framework, designed to support traveling user sign-ins across multiple regions. This setup involves two major components Right now im only working on region tenant artifact, but this traveling user sign in case applies and has the same logic to both meaning the technical profiles used for both artifacts would be the same:
Funnel Tenant: Handles the initial user sign-in and routes the request based on the user's region.
Regional Tenant: Processes sign-ins for users registered in specific regions.
For users in the EMEA tenant, the sign-in process works as expected. However, when users registered in the APAC tenant attempt to sign in, the policy correctly identifies their region and routes the request to the REST-login-NonInteractive-APAC and REST-fetchUserProfile-APAC technical profiles. Unfortunately, it fails with the error: "Basic credentials specified for 'REST-fetchUserProfile-APAC' are invalid. Check that the credentials are correct and that access has been granted by the resource."
Custom Policy - Self-Asserted Local Account Sign-In Profile The first step in the user journey always begins with the SelfAsserted-LocalAccountSignin-Email profile, which includes the following configuration:
Below are the two key technical profiles for APAC users. Microsoft has provided these 2 profiles in their proof of concept documentations and i am following them exactly how they are listed. https://learn.microsoft.com/en-us/azure/active-directory-b2c/b2c-global-identity-proof-of-concept-funnel:
REST-login-NonInteractive-APAC: Responsible for authenticating the user in the APAC tenant via ROPC.
REST-fetchUserProfile-APAC: Fetches user profile details using a Graph API call.
Issue Details When an APAC user attempts to sign in:
The policy correctly identifies the user's region as "APAC" using the REST-regionLookup technical profile. The REST-login-NonInteractive-APAC profile successfully generates an access token (graph_bearerToken) using the ROPC flow. However, when the REST-fetchUserProfile-APAC technical profile attempts to use the graph_bearerToken to call the Graph API, it fails with the error: "Basic credentials specified for 'REST-fetchUserProfile-APAC' are invalid. Check that the credentials are correct and that access has been granted by the resource."
one thing additionally (not sure if this helps) is that i ran a curl command to obtain the access token so i can decode it in jwt.io. this is the test user in my apac tenant that i am attempting to login with in the emea tenant. here is the curl command:
curl -X POST "https://login.microsoftonline.com/zappsecincAdB2Capac.onmicrosoft.com/oauth2/v2.0/token"-H "Content-Type: application/x-www-form-urlencoded"-d "client_id=
Sign in to answer