ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,738 questions
Issue with Azure AD B2C Custom Policy: "Basic credentials specified for 'REST-fetchUserProfile-APAC' are invalid
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 56.00000000000001%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERG%3C/text%3E%3C/svg%3E)
Ray Garg
20
Reputation points
Description
I am working on an Azure AD B2C custom policy for the Global Identity Framework, designed to support traveling user sign-ins across multiple regions. This setup involves two major components Right now im only working on region tenant artifact, but this traveling user sign in case applies and has the same logic to both meaning the technical profiles used for both artifacts would be the same:
Funnel Tenant: Handles the initial user sign-in and routes the request based on the user's region.
Regional Tenant: Processes sign-ins for users registered in specific regions.
For users in the EMEA tenant, the sign-in process works as expected. However, when users registered in the APAC tenant attempt to sign in, the policy correctly identifies their region and routes the request to the REST-login-NonInteractive-APAC and REST-fetchUserProfile-APAC technical profiles. Unfortunately, it fails with the error: "Basic credentials specified for 'REST-fetchUserProfile-APAC' are invalid. Check that the credentials are correct and that access has been granted by the resource."
Custom Policy - Self-Asserted Local Account Sign-In Profile The first step in the user journey always begins with the SelfAsserted-LocalAccountSignin-Email profile, which includes the following configuration:
<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
<DisplayName>Local Account Signin</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="SignUpTarget">SignUpWithLogonEmailExchange</Item>
<Item Key="setting.operatingMode">Email</Item>
<Item Key="ContentDefinitionReferenceId">api.localaccountsignin</Item>
<Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>
<Item Key="setting.forgotPasswordLinkOverride">ForgotPasswordExchange</Item>
</Metadata>
<IncludeInSso>false</IncludeInSso>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" DefaultValue="{OIDC:LoginHint}" AlwaysUseDefaultValue="true" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="signInName" Required="true" />
<OutputClaim ClaimTypeReferenceId="password" Required="true" />
<OutputClaim ClaimTypeReferenceId="objectId" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" />
</OutputClaims>
<ValidationTechnicalProfiles>
<!-- <ValidationTechnicalProfile ReferenceId="REST-getTokenforExternalApiCalls" /> -->
<ValidationTechnicalProfile ReferenceId="REST-regionLookup" />
<ValidationTechnicalProfile ReferenceId="login-NonInteractive">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="false">
<Value>region</Value>
<Value>EMEA</Value>
<Action>SkipThisValidationTechnicalProfile</Action>
</Precondition>
</Preconditions>
</ValidationTechnicalProfile>
<ValidationTechnicalProfile ReferenceId="REST-login-NonInteractive-APAC">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="false">
<Value>region</Value>
<Value>APAC</Value>
<Action>SkipThisValidationTechnicalProfile</Action>
</Precondition>
</Preconditions>
</ValidationTechnicalProfile>
<ValidationTechnicalProfile ReferenceId="REST-fetchUserProfile-APAC">
<Preconditions>
<Precondition Type="ClaimEquals" ExecuteActionsIf="false">
<Value>region</Value>
<Value>APAC</Value>
<Action>SkipThisValidationTechnicalProfile</Action>
</Precondition>
</Preconditions>
</ValidationTechnicalProfile>
</ValidationTechnicalProfiles>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />
</TechnicalProfile>
Below are the two key technical profiles for APAC users. Microsoft has provided these 2 profiles in their proof of concept documentations and i am following them exactly how they are listed. https://learn.microsoft.com/en-us/azure/active-directory-b2c/b2c-global-identity-proof-of-concept-funnel:
REST-login-NonInteractive-APAC: Responsible for authenticating the user in the APAC tenant via ROPC.
<TechnicalProfile Id="REST-login-NonInteractive-APAC">
<DisplayName>non interactive authentication to APAC</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl">https://login.microsoftonline.com/zappsecincAdB2Capac.onmicrosoft.com/oauth2/v2.0/token</Item>
<Item Key="AuthenticationType">None</Item>
<Item Key="SendClaimsIn">Form</Item>
<Item Key="AllowInsecureAuthInProduction">true</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="apac_client_id" PartnerClaimType="client_id" DefaultValue="fb40528b-8db9-42f3-90a2-b119f00d9645" />
<InputClaim ClaimTypeReferenceId="ropc_grant_type" PartnerClaimType="grant_type" DefaultValue="password" />
<InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" />
<InputClaim ClaimTypeReferenceId="password" />
<InputClaim ClaimTypeReferenceId="scope" DefaultValue="https://graph.microsoft.com/.default" AlwaysUseDefaultValue="true" />
<InputClaim ClaimTypeReferenceId="nca" PartnerClaimType="nca" DefaultValue="1" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="graph_bearerToken" PartnerClaimType="access_token" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
REST-fetchUserProfile-APAC: Fetches user profile details using a Graph API call.
<TechnicalProfile Id="REST-fetchUserProfile-APAC">
<DisplayName>fetch user profile cross tenant</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl">https://graph.microsoft.com/beta/me</Item>
<Item Key="AuthenticationType">Bearer</Item>
<Item Key="UseClaimAsBearerToken">graph_bearerToken</Item>
<Item Key="SendClaimsIn">Url</Item>
<Item Key="DebugMode">true</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="graph_bearerToken" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="id" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surName" />
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="upn" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
Issue Details When an APAC user attempts to sign in:
The policy correctly identifies the user's region as "APAC" using the REST-regionLookup technical profile. The REST-login-NonInteractive-APAC profile successfully generates an access token (graph_bearerToken) using the ROPC flow. However, when the REST-fetchUserProfile-APAC technical profile attempts to use the graph_bearerToken to call the Graph API, it fails with the error: "Basic credentials specified for 'REST-fetchUserProfile-APAC' are invalid. Check that the credentials are correct and that access has been granted by the resource."
one thing additionally (not sure if this helps) is that i ran a curl command to obtain the access token so i can decode it in jwt.io. this is the test user in my apac tenant that i am attempting to login with in the emea tenant. here is the curl command:
curl -X POST "https://login.microsoftonline.com/zappsecincAdB2Capac.onmicrosoft.com/oauth2/v2.0/token"-H "Content-Type: application/x-www-form-urlencoded"-d "client_id=<b2cappidinapactenanthere>"-d "grant_type=password"-d "username=<myusernamehere>" -d "password=<passwordhere>"-d "scope=openid" -d "nca=1"
this generates an access token, for which when decoding in jwt.io i get this. im not sure if its an issue but i dont see user.readwrite.all or directory.readwrite.all in the scp claim:
"scp": "openid profile email",
Steps Taken Verified the App Registration:
API Permissions: Added User.ReadWrite.All and Directory.ReadWrite.All permissions to the app. Admin Consent: Granted admin consent for all permissions. Authentication Settings: Enabled public client flows (for ROPC). Verified Input Claims:
The scope is set to https://graph.microsoft.com/.default in both REST-login-NonInteractive-APAC and REST-fetchUserProfile-APAC. Debugged via Application Insights:
Confirmed that the REST-login-NonInteractive-APAC profile successfully returns an access token. The error occurs when the REST-fetchUserProfile-APAC profile uses the token to fetch user details. Reviewed Microsoft Documentation:
Followed the recommended structure for global identity framework policies, including ROPC authentication and cross-tenant Graph API calls.
Questions Are there specific additional configurations needed in the APAC tenant's app registration to allow the REST-fetchUserProfile-APAC profile to successfully call the Graph API using the token? Could the issue be related to the way the graph_bearerToken is being passed as a bearer token in REST-fetchUserProfile-APAC? Are there other ways to debug or trace the root cause of the "Basic credentials invalid" error in this scenario?
relevant logs from app insights:
{ "Key": "ValidationTechnicalProfile", "Value": { "Values": [ { "Key": "TechnicalProfileId", "Value": "REST-regionLookup" }, { "Key": "MappingPartnerTypeForClaim", "Value": { "PartnerClaimType": "signInName", "PolicyClaimType": "signInName" } } ] } }, { "Key": "Precondition", "Value": { "$id": "1", "Type": 1, "ExecuteActionsIf": false, "ActionTypes": [ 1 ], "Values": [ "region", "EMEA" ] } }, { "Key": "SkippingStep", "Value": "login-NonInteractive" }, { "Key": "Precondition", "Value": { "$id": "2", "Type": 1, "ExecuteActionsIf": false, "ActionTypes": [ 1 ], "Values": [ "region", "APAC" ] } }, { "Key": "TechnicalProfileEnabled", "Value": { "EnabledRule": "Always", "EnabledResult": true, "TechnicalProfile": "REST-login-NonInteractive-APAC" } }, { "Key": "ValidationTechnicalProfile", "Value": { "Values": [ { "Key": "TechnicalProfileId", "Value": "REST-login-NonInteractive-APAC" }, { "Key": "MappingDefaultValueForClaim", "Value": { "PartnerClaimType": "client_id", "PolicyClaimType": "apac_client_id" } }, { "Key": "MappingDefaultValueForClaim", "Value": { "PartnerClaimType": "grant_type", "PolicyClaimType": "ropc_grant_type" } }, { "Key": "MappingPartnerTypeForClaim", "Value": { "PartnerClaimType": "username", "PolicyClaimType": "signInName" } }, { "Key": "MappingPartnerTypeForClaim", "Value": { "PartnerClaimType": "password", "PolicyClaimType": "password" } }, { "Key": "MappingDefaultValueForClaim", "Value": { "PartnerClaimType": "scope", "PolicyClaimType": "scope" } }, { "Key": "MappingDefaultValueForClaim", "Value": { "PartnerClaimType": "nca", "PolicyClaimType": "nca" } } ] } }, { "Key": "Precondition", "Value": { "$id": "3", "Type": 1, "ExecuteActionsIf": false, "ActionTypes": [ 1 ], "Values": [ "region", "APAC" ] } }, { "Key": "TechnicalProfileEnabled", "Value": { "EnabledRule": "Always", "EnabledResult": true, "TechnicalProfile": "REST-fetchUserProfile-APAC" } }, { "Key": "ValidationTechnicalProfile", "Value": { "Values": [ { "Key": "TechnicalProfileId", "Value": "REST-fetchUserProfile-APAC" }, { "Key": "MappingPartnerTypeForClaim", "Value": { "PartnerClaimType": "graph_bearerToken", "PolicyClaimType": "graph_bearerToken" } } ] } }, { "Key": "Exception", "Value": { "Kind": "Handled", "HResult": "80131500", "Message": "ErrorCodes: AADB2C90027", "Data": { "IsPolicySpecificError": false } } } ] } } ] },
I would appreciate any insights or recommendations to resolve this issue. Thank you in advance!
{count} votes
-
Ray Garg 20 Reputation points
2025-01-13T14:14:55.18+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 55.00000000000001%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Sanoop M 175 Reputation points Microsoft Vendor2025-01-13T23:47:48.5633333+00:00 Hello @Ray Garg ,
Thank you for posting your query on Microsoft Q&A.
When I was reviewing your issue description, I understand that you were getting this error AADB2C90027 "Basic credentials specified for 'REST-fetchUserProfile-APAC' are invalid. Check that the credentials are correct and that access has been granted by the resource."
Based on the above mentioned error, please make sure whether you have completed the configuration of an API Connector with HTTP basic authentication by following these below mentioned steps:
- Sign in to the Azure portal.
- Under Azure services, select Azure AD B2C or search for and select Azure AD B2C.
- Select API connectors, and then select the API Connector you want to configure.
- For the Authentication type, select Basic.
- Provide the Username, and Password of your REST API endpoint.
- Select Save.
Please refer to the below documents which explains about the same error(AADB2C90027) which you are getting and the above mentioned steps.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/error-codes
Please refer to the below document to follow the steps of configuring a REST API technical profile with HTTP basic authentication.
I hope the above information provided is helpful. Please do let us know the outcome after performing the above mentioned steps.
Thanks and Regards,
Sanoop Mohan
-
Ray Garg 20 Reputation points
2025-01-14T08:58:34.9966667+00:00 hi @Sanoop M
you can see the profiles ive pasted there for rest-login-noninteractive-apac, and rest-fetchuserprofile-apac. the rest-loginnoninteractive-apac profile outputs a bearer token while the rest-fetchuserprofile-apac uses that bearer token. While the idea was suggested using api connectors, i was a bit confused on where would i use the api connector? in the rest-fetchuserprofile-apac profile. cna u please give me the exact line change? but then wouldnt the authentication type have to change to basic? that doesnt make sense becuase right now its using the bearer as authentication type. everything is detailed where i already posted the question. b2c app registration in my apac tenant is having the correct client id is already pasted in inputclaim section of rest-loginnoninteractive-apac profile. also, the app registration in portal has user.readwrite.all and dreictory.readwrite.all, and has allow pubic client flows under authnetication checkmarked to yes in case i need that in case of ropc. please give me the right answer for this !!!!
Sign in to comment
Sign in to answer