A customer reached out the other day as they were unable to make Azure Active Directory B2C work with Salesforce for single-sign-on using OpenID Connect (OIDC). They were seeing a
No_Oauth_Token error and couldn’t make it work so they asked if I would look into it.
After spending a bit of time I was able to make it work. First step was to add the Application ID of the app in Azure as a scope in the Auth. Provider configuration in Salesforce. That removed the
No_Oauth_Token error but the authentication to Salesforce still failed. The reason was that Salesforce was attempting to reach our the
userinfo-endpoint which wasn’t specified as a
userinfo-endpoint is not provided by Azure Active Directory B2C when using a standard policy (a policy is how the authentication flow is configured on the Azure side). As no
userinfo-endpoint was provided the solution I came up with was to build a small simple web application that could be a stand-in for that missing endpoint.
userinfo endpoint of the web app is called from Salesforce after the user has been authenticated through Azure Active Directory B2C but before the user is let into Salesforce. Salesforce will provide a Bearer token in the
Authorization header. The Bearer token is the signed JWT from Azure Active Directory B2C.
The endpoint will do the following:
- Verify the signature of the JWT by getting the key ID (
kid) from the JWT header, then attempt to find the key among the keys loaded from the
.wellknownendpoint in Azure when the app started, extract the public key if found and verify the JWT signature
- Once the signature has been verified it returns a JSON response with a single claim being the subject identifier (
- The Registration Handler on the Salesforce side can then use this subject identifier to lookup the User record in Salesforce and return it to complete the authentication
The web app is available in a repo on Github (https://github.com/lekkimworld/userinfo-endpoint-for-salesforce-with-azure-ad-b2c). The repo also contains a sample Registration Handler.