Azure AD B2C - How to fix token generation issue with scope=offline_access ?

I have my azure ad b2c setup to work with my application's authentication needs. I'm able to generate token with scope=openid. However, when i try to use offline_access scope to get token i get below error. Im using Authorization Code grant type for this token request

Error: invalid_grant, Description: AADB2C90085: The service has encountered an internal error

Attached screenshot

refreshtokenissue.png

Below are the technical profiles that i have on the TRUSTFRAMEWORKBASE.xml that are related to refresh token. Any input to solve the would be appreciated.

<ClaimsProvider>      <DisplayName>Token Issuer</DisplayName>      <TechnicalProfiles>        <TechnicalProfile Id="JwtIssuer">          <DisplayName>JWT Issuer</DisplayName>          <Protocol Name="OpenIdConnect" />          <OutputTokenFormat>JWT</OutputTokenFormat>          <Metadata>            <Item Key="client_id">{service:te}</Item>            <Item Key="issuer_refresh_token_user_identity_claim_type">objectId</Item>            <Item Key="SendTokenResponseBodyWithJsonNumbers">true</Item>          </Metadata>          <CryptographicKeys>            <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />            <Key Id="issuer_refresh_token_key" StorageReferenceId="B2C_1A_TokenEncryptionKeyContainer" />          </CryptographicKeys>          <UseTechnicalProfileForSessionManagement ReferenceId="SM-jwt-issuer" />        </TechnicalProfile>      </TechnicalProfiles>    </ClaimsProvider>    <!--claims provider for refresh token revocation-->    <ClaimsProvider>      <DisplayName>Refresh token journey</DisplayName>      <TechnicalProfiles>        <TechnicalProfile Id="RefreshTokenReadAndSetup">          <DisplayName>Trustframework Policy Engine Refresh Token Setup Technical Profile</DisplayName>          <Protocol Name="None" />          <OutputClaims>            <OutputClaim ClaimTypeReferenceId="objectId" />            <OutputClaim ClaimTypeReferenceId="refreshTokenIssuedOnDateTime" />          </OutputClaims>        </TechnicalProfile>        <TechnicalProfile Id="AAD-UserReadUsingObjectId-CheckRefreshTokenDate">          <OutputClaims>            <OutputClaim ClaimTypeReferenceId="refreshTokensValidFromDateTime" />            <OutputClaim ClaimTypeReferenceId="displayName" />          </OutputClaims>          <OutputClaimsTransformations>            <OutputClaimsTransformation ReferenceId="AssertRefreshTokenIssuedLaterThanValidFromDate" />          </OutputClaimsTransformations>          <IncludeTechnicalProfile ReferenceId="AAD-UserReadUsingObjectId" />        </TechnicalProfile>      </TechnicalProfiles>    </ClaimsProvider>

1 answer

Imoh S. Etuk 180 Reputation points MVP

2025-02-21T20:05:26.4566667+00:00

Hi

Sorry for the experience!

Can you confirm whether it is an SPA or a Mobile App?

Check that the Allow public client flow is enabled if it is a public client and ensure the offline_access is included in the scope parameter. Also depending on the policy you're using (user flow or custom), you may need to check that the offline_access is included in the API permissions if it's user flow and also check that the offline_access is referenced in the RelyingParty if it is a custom policy.

Do let me know if this helps!
Please sign in to rate this answer.
Chandrashekar, Anil (Cognizant) 0 Reputation points

2025-02-21T20:22:24.41+00:00

Hi

offline_access has been included in API permission. And yes its a custom policy.

Below is the RelayingParty section from my custom policy. Can you pls help with more details on the offline_access reference to be included here?

Chandrashekar, Anil (Cognizant) 0 Reputation points

2025-02-21T20:23:26.2066667+00:00

Hi

offline_access has been included in API permission. And yes its a custom policy.

Below is the RelayingParty section from my custom policy. Can you pls help with more details on the offline_access reference to be included here?

Imoh S. Etuk 180 Reputation points MVP

2025-02-21T21:02:16.5866667+00:00

Hi,

Checking through the screenshots, I see that the offline_access is not included in the RelyingParty. Kindly modify the RelyingParty to include <OutputClaim ClaimTypeReferenceId="scope" DefaultValue="openid offline_access"

AlwaysUseDefaultValue="true" />

Also you need to open the TrustFrameworkExtensions.xml file and check that the offline_access claim is defined in the <ClaimType> section.

Lastlyt, check the TokenIssue Technical profile and ensure the offline_access is included too.

Chandrashekar, Anil (Cognizant) 0 Reputation points

2025-02-21T21:50:55.0366667+00:00

Sure Thanks for your input.

This is what i have in the TokenIssuer technical profile

Imoh S. Etuk 180 Reputation points MVP

2025-02-22T12:22:05.91+00:00

Thanks for sharing the screenshot. From the screenshot, your JwtIssuer profile is missing the OutputClaims section which is useful for issuing refresh tokens. You need to modify it.

Also, ensure refesh_token ClaimType is defined in your TrustFramewaorkExtensions.xml

If this answers your query, click Accept Answer and Up-Vote for the same. If you have any further queries do let us know.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure AD B2C - How to fix token generation issue with scope=offline_access ?

1 answer

Your answer