Still having an issue. Trying to figure out if it's a config issue on CAS side or a setup issue on Azure AD side.
We are spinning up a new instance of Azure AD B2C. I was given an endpoint with an example payload to use to verify user credentials. Using postman, that api works. But it does not appear CAS is doing the same. API used via postman where b2c_xxx_ropc is the user policy flow: POST /b2cxyz.xxxx.xxx/b2c_xxx_ropc/oauth2/v2.0/token HTTP/1.1 Host: xxxxxxx.b2clogin.com Content-Type: application/x-www-form-urlencoded body: grant_type:password scope:openid <my-client-id> username:[email protected] password:myPwd123 client_id:<my-client-id> response_type:token id_token I get back a token. Now trying with CAS: For CAS, i'm using below config for Azure AD: cas.authn.azure-active-directory.client-id<my-client-id> cas.authn.azure-active-directory.login-url=https:// xxxxxxx.b2clogin.com/b2cxyz.xxxx.xxx/b2c_xxx_ropc/oauth2/v2.0/token Message in log: [Invalid credentials: com.microsoft.aad.adal4j.AuthenticationException: Server returned HTTP response code: 404 for URL : https:// xxxxxxx.b2clogin.com/common/userrealm/someuser@ .com?api-version=1.0, Error details : The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.].> Any assistance would be appreciated. -psv On Thursday, August 3, 2023 at 9:33:47 PM UTC-5 Pablo Vidaurri wrote: > Not sure if there is a difference between Azure AD and Azure AD B2C. is > B2C supported in CAS 6.6.8? > > Looking at integrating with Azure AD B2C via my custom login page. I see a > connection being made but always with same error message. It feels like I > need to define some attributes that are not supported until CAS 7.0. > > cas.authn.azure-active-directory.client-secret=xxxx > cas.authn.azure-active-directory.tenant=xxx > cas.authn.azure-active-directory.scope=xxx > > Error message: > 2023-08-03 17:21:59,481 TRACE > [org.apereo.cas.azure.ad.authentication.AzureActiveDirectoryAuthenticationHandler] > > - <Fetching token for [[email protected]]> > 2023-08-03 17:21:59,493 DEBUG > [org.apereo.cas.azure.ad.authentication.AzureActiveDirectoryAuthenticationHandler] > > - <Acquiring token for resource [https://graph.microsoft.com/] and client > id [xxxxx] for user [[email protected]]> > 2023-08-03 17:22:00,192 ERROR > [com.microsoft.aad.adal4j.AuthenticationContext] - <[Correlation ID: xxxxx] > Execution of class com.microsoft.aad.adal4j.AcquireTokenCallable failed.> > com.microsoft.aad.adal4j.AuthenticationException: > {"trace_id":"xxx","error_description":"AADSTS50034: The user account > {EmailHidden} does not exist in the xxxxx.com directory. To sign into > this application, the account must be added to the directory.Trace ID: xxxx > Correlation ID: xxxxx Timestamp: 2023-08-03 > 22:22:00Z","correlation_id":"xxxxx","error":"invalid_grant","error_uri":"https:\/\/ > login.microsoftonline.com\/error?code=50034","timestamp":"2023-08-03 > 22:22:00Z"} > at > com.microsoft.aad.adal4j.AdalTokenRequest.executeOAuthRequestAndProcessResponse(AdalTokenRequest.java:128) > > ~[adal4j-1.6.7.jar!/:1.6.7] > at > com.microsoft.aad.adal4j.AuthenticationContext.acquireTokenCommon(AuthenticationContext.java:930) > > ~[adal4j-1.6.7.jar!/:1.6.7] > at > com.microsoft.aad.adal4j.AcquireTokenCallable.execute(AcquireTokenCallable.java:70) > > ~[adal4j-1.6.7.jar!/:1.6.7] > at > com.microsoft.aad.adal4j.AcquireTokenCallable.execute(AcquireTokenCallable.java:38) > > ~[adal4j-1.6.7.jar!/:1.6.7] > at com.microsoft.aad.adal4j.AdalCallable.call(AdalCallable.java:47) > ~[adal4j-1.6.7.jar!/:1.6.7] > at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) > > ~[?:?] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) > > ~[?:?] > at java.lang.Thread.run(Thread.java:834) ~[?:?] > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f8217de6-bafe-48ac-ad98-a4dbee7c4ffcn%40apereo.org.
