Azure AD B2C - How to fix token generation issue with scope=offline_access ?

I have my azure ad b2c setup to work with my application's authentication needs. I'm able to generate token with scope=openid. However, when i try to use offline_access scope to get token i get below error. Im using Authorization Code grant type for this token request

Error: invalid_grant, Description: AADB2C90085: The service has encountered an internal error

Attached screenshot

refreshtokenissue.png

Below are the technical profiles that i have on the TRUSTFRAMEWORKBASE.xml that are related to refresh token. Any input to solve the would be appreciated.

<ClaimsProvider>      <DisplayName>Token Issuer</DisplayName>      <TechnicalProfiles>        <TechnicalProfile Id="JwtIssuer">          <DisplayName>JWT Issuer</DisplayName>          <Protocol Name="OpenIdConnect" />          <OutputTokenFormat>JWT</OutputTokenFormat>          <Metadata>            <Item Key="client_id">{service:te}</Item>            <Item Key="issuer_refresh_token_user_identity_claim_type">objectId</Item>            <Item Key="SendTokenResponseBodyWithJsonNumbers">true</Item>          </Metadata>          <CryptographicKeys>            <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />            <Key Id="issuer_refresh_token_key" StorageReferenceId="B2C_1A_TokenEncryptionKeyContainer" />          </CryptographicKeys>          <UseTechnicalProfileForSessionManagement ReferenceId="SM-jwt-issuer" />        </TechnicalProfile>      </TechnicalProfiles>    </ClaimsProvider>    <!--claims provider for refresh token revocation-->    <ClaimsProvider>      <DisplayName>Refresh token journey</DisplayName>      <TechnicalProfiles>        <TechnicalProfile Id="RefreshTokenReadAndSetup">          <DisplayName>Trustframework Policy Engine Refresh Token Setup Technical Profile</DisplayName>          <Protocol Name="None" />          <OutputClaims>            <OutputClaim ClaimTypeReferenceId="objectId" />            <OutputClaim ClaimTypeReferenceId="refreshTokenIssuedOnDateTime" />          </OutputClaims>        </TechnicalProfile>        <TechnicalProfile Id="AAD-UserReadUsingObjectId-CheckRefreshTokenDate">          <OutputClaims>            <OutputClaim ClaimTypeReferenceId="refreshTokensValidFromDateTime" />            <OutputClaim ClaimTypeReferenceId="displayName" />          </OutputClaims>          <OutputClaimsTransformations>            <OutputClaimsTransformation ReferenceId="AssertRefreshTokenIssuedLaterThanValidFromDate" />          </OutputClaimsTransformations>          <IncludeTechnicalProfile ReferenceId="AAD-UserReadUsingObjectId" />        </TechnicalProfile>      </TechnicalProfiles>    </ClaimsProvider>

1 answer

Imoh S. Etuk 185 Reputation points MVP

2025-02-21T20:05:26.4566667+00:00

Hi

Sorry for the experience!

Can you confirm whether it is an SPA or a Mobile App?

Check that the Allow public client flow is enabled if it is a public client and ensure the offline_access is included in the scope parameter. Also depending on the policy you're using (user flow or custom), you may need to check that the offline_access is included in the API permissions if it's user flow and also check that the offline_access is referenced in the RelyingParty if it is a custom policy.

Do let me know if this helps!
Please sign in to rate this answer.
Chandrashekar, Anil (Cognizant) 0 Reputation points

2025-02-21T20:22:24.41+00:00

Hi

offline_access has been included in API permission. And yes its a custom policy.

Below is the RelayingParty section from my custom policy. Can you pls help with more details on the offline_access reference to be included here?

Chandrashekar, Anil (Cognizant) 0 Reputation points

2025-02-21T20:23:26.2066667+00:00

Hi

offline_access has been included in API permission. And yes its a custom policy.

Below is the RelayingParty section from my custom policy. Can you pls help with more details on the offline_access reference to be included here?

Imoh S. Etuk 185 Reputation points MVP

2025-02-21T21:02:16.5866667+00:00

Hi,

Checking through the screenshots, I see that the offline_access is not included in the RelyingParty. Kindly modify the RelyingParty to include <OutputClaim ClaimTypeReferenceId="scope" DefaultValue="openid offline_access"

AlwaysUseDefaultValue="true" />

Also you need to open the TrustFrameworkExtensions.xml file and check that the offline_access claim is defined in the <ClaimType> section.

Lastlyt, check the TokenIssue Technical profile and ensure the offline_access is included too.

Chandrashekar, Anil (Cognizant) 0 Reputation points

2025-02-21T21:50:55.0366667+00:00

Sure Thanks for your input.

This is what i have in the TokenIssuer technical profile

Imoh S. Etuk 185 Reputation points MVP

2025-02-22T12:22:05.91+00:00

Thanks for sharing the screenshot. From the screenshot, your JwtIssuer profile is missing the OutputClaims section which is useful for issuing refresh tokens. You need to modify it.

Also, ensure refesh_token ClaimType is defined in your TrustFramewaorkExtensions.xml

If this answers your query, click Accept Answer and Up-Vote for the same. If you have any further queries do let us know.

Venkata Jagadeep 180 Reputation points Microsoft Vendor

2025-02-25T20:39:12.8466667+00:00

Hello Chandrashekar, Anil (Cognizant),

As mentioned by Imoh S. Etuk, did you get a chance to define refresh_token claimtype in your TrustFrameworkExtensions.xml and modify your OutputClaims section to include jwtissuer profile.

In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Chandrashekar, Anil (Cognizant) 0 Reputation points

2025-02-25T20:48:48.4533333+00:00

Hi Venkata Jagadeep,

Thank you for your response.

I'm not sure what attributes to be included in <OutPutClaims> and also defining refresh_token ClaimType in TrustFrameworkExtensions.xml file.

Would you be able to share sample base file and extension file which has these attributes defined ?

Thanks in advance!

Chandrashekar, Anil (Cognizant) 0 Reputation points

2025-02-25T20:53:06.9066667+00:00

Hi Venkata Jagadeep

I'm not sure what attributes to be included inside <OutPutClaims> section and also, refresh_token ClaimType to be defined in TrustFramewaorkExtensions.xml.

Would you be able to share a sample base and extension file that has these attributes defined for better understanding?

Thanks in advance!

Venkata Jagadeep 180 Reputation points Microsoft Vendor

2025-02-26T21:55:26.0266667+00:00

Hello Chandrashekar, Anil (Cognizant),

In your custom policy, you have to add offline_access in relying party.

Please include the below in your custom policy under relying party.

<OutputClaim ClaimTypeReferenceId="scope" DefaultValue="openid offline_access"

Need to include offline_access in token issuer Technical Profile in Azure AD B2C Custom Policy as mentioned below.

<Item Key="scope">openid profile offline_access</Item>

I request you to check the manifest file and make sure that the value of "signInAudience" is "AzureADandPersonalMicrosoftAccount"

Make sure to add offline_access in Identity Experience Framework and Proxy Identity.

Navigate to above two apps and under Permissions, select the Grant admin consent to openid and offline_access permissions check box

Reference :

https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#register-the-identityexperienceframework-application
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure AD B2C - How to fix token generation issue with scope=offline_access ?

1 answer

Your answer