Azure AD B2C SSO between Apps

Question

we are trying to implement SSO for a couple of our apps to enable users to login once and then switch between apps seamlessly. To do that, we use Azure AD B2C to store our users and have been able to implement the login with our first app. However, we are now facing problems when the user switches to another app: it seems like without sending the user to the login policy and have him/her repeat the login procedure it is not possible to authorize the user in the second app.

Here's what we are currently doing:

1. User gets sent to the configured Login-Policy (https://login.microsoftonline.com/mytennant.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_webapp1_login&somemore=parameters) and logs in.
2. User gets sent back to our WebApp1 with both id_token and code parameters that we use to generate a user session in WebApp1
3. When user accesses WebApp2 we send over code from Step2 and use that in WebApp2 to request an access token from Azure AD B2C (https://login.microsoftonline.com/mytennant.onmicrosoft.com/oauth2/v2.0/token?p=B2C_1_webapp2_login)

However when executing Step 3 we always get the following error from Azure:

AADB2C90088: The provided grant has not been issued for this endpoint. Actual Value : B2C_1_webapp1_login and Expected Value : B2C_1_webapp2_login

The error is pretty clear, but we just do not know how to work around this. We have read the documentation over and over again, but cannot find a clue on how to fix this.

So any help would be highly appreciated. Also please let me know if any further information is required and I am happy to add them.

Thanks,

Moritz

Answer 1

You cannot use a code generated from a different Policy. (See documentation - Get Token under "p" parameter.)

Is there a reason you are using a different policy for the second web app? You could just create a new Application within B2C and target it with the same policy used for App 1. Or you would need to repeat steps 1 and 2 for the second app and rely on SSO configuration.