AWS Cognito OIDC provider fails with "error_description=No+access+token+in+OAuth+IdP+response" when federating with Azure AD B2C Custom Policy

Question

I’m configuring an OIDC identity provider in an AWS Cognito user pool to federate with Azure AD B2C using a custom policy.

Discovery endpoint used in Cognito (from the custom policy): "https://iamgldev....gin.com/6b3de.....db29/b2...gninujr/v2.0/.well-known/openid-configuration"

Cognito picked up (manual configuration succeeds):
Issuer: https://iamgldevaadb2c01.b2clogin.com/6b3d...db29/b2c_...igninujr
Authorization endpoint: https://iamgldevaad...gin.com/iamgldevaadb2c01.onmicrosoft.com/B2C_....TSIGNINUJR/oauth2/v2.0/authorize
Token endpoint: https://iamgldevaa...ogin.com/iamgldevaadb2c01.onmicrosoft.com/b2c....ninujr/oauth2/v2.0/token
JWKS URI: https://iamgldev.....b2clogin.com/iamgldeva....microsoft.com/b2c_....tsigninujr/discovery/v2.0/keys

Problem
The discovery document’s issuer is: https://iamglde...2clogin.com/6b3de......c3db29/v2.0/
When signing in via the hosted UI, Azure AD B2C authenticates and redirects back to Cognito, but Cognito fails with: error_description=No+access+token+in+OAuth+IdP+response

Hypothesis
Cognito expects the token’s iss to match the issuer it inferred from the discovery URL (which includes the policy segment), but Azure AD B2C emits an iss without the policy for this custom policy, causing validation to fail and leading to the “No access token in OAuth IdP response”.

Questions
- Is this hypothesis correct?
- In Azure AD B2C custom policies, is there a supported way to make the iss claim include the policy name? Or is the policy-less issuer in tokens a known/intentional behavior?
- If the issuer cannot include the policy, what’s the recommended approach to federate Azure AD B2C custom policies with AWS Cognito?

Yaroslav · Answer

As an update to this question: I was able to obtain an access_token by adding the client ID value to the authorized scope values in AWS Cognito. The refresh_token appears when I include the offline_access scope. The message “No access token in OAuth IdP response” means exactly what it says—there was no access token returned in the response from Azure B2C.

re:Post Agent · Answer

The error "No access token in OAuth IdP response" typically occurs when Amazon Cognito is unable to properly process the response from your external identity provider (in this case, Azure AD B2C).

Your hypothesis about the issuer mismatch is likely correct. When Cognito configures an OIDC provider, it expects the tokens returned by the IdP to have an "iss" claim that exactly matches the issuer URL from the discovery document. In your case, there's a discrepancy between what Cognito expects (with the policy name included) and what Azure AD B2C is actually providing (without the policy name).

This is a known behavior with Azure AD B2C custom policies. The issuer in the tokens typically doesn't include the policy name segment, while the discovery endpoint URL does include it.

To resolve this issue, you have a few options:

1. Use the File Metadata approach instead of URL Metadata in your Cognito configuration. Download the OpenID configuration file manually, modify the issuer value to match what Azure AD B2C will actually use in tokens, and upload this modified file to Cognito.

2. Check if your Azure AD B2C custom policy can be modified to include the policy name in the token issuer claim. This would involve customizing the token issuance in your custom policy XML.

3. Configure your Cognito app client to specifically include the external IdP. In the Cognito console, go to your User Pool, select "App clients" under "Applications", choose your app client, go to the "Login Pages" tab, and ensure your Azure AD B2C IdP is added as an identity provider.

4. If possible, consider using Azure AD B2C built-in user flows instead of custom policies, as they might have better compatibility with Cognito's expectations.

If these approaches don't resolve the issue, you may need to open a support case with AWS to get more detailed error information and assistance specific to your configuration.  
**Sources**  
[Managed login and federation error responses - Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/federation-endpoint-idp-responses.html)  
[Cognito User Pool SAML Federation throwing Unable to contact the configured provider | AWS re:Post](https://repost.aws/questions/QUZbZ5SHDZSUiRlkUm-z0yKw/cognito-user-pool-saml-federation-throwing-unable-to-contact-the-configured-provider)  
[Cognito User Pool External Identity Provider (Auth0) Returns Error at /oauth2/idpresponse | AWS re:Post](https://repost.aws/questions/QUaJccTp8cTxKuN-RMg2F8bA/cognito-user-pool-external-identity-provider-auth0-returns-error-at-oauth2-idpresponse)

AWS Cognito OIDC provider fails with "error_description=No+access+token+in+OAuth+IdP+response" when federating with Azure AD B2C Custom Policy

回答を追加する

関連するコンテンツ