I was struggling with the same issue. The issuer-url 'login.microsoftonline.com' always ends up in the AAD UI and not to AAD B2C UI (which we want to customize in our case).
After some exhausting hours and with the great help from the AWS Support we were able to find a solution. B2C works with its predefined "User Flows". This flows are nice and easy to setup, but do not provide all endpoints you need with OICD. And this is why you are forced to create custom policies in B2C.
You can follow this steps from the official documentation:
Configure Cognito: Beside the issuer url you also have to provide the four OICD endpoints: Authorization, Token, JWKS and Userinfo. All of this required endpoints can be found under YOURTENANT.b2clogin.com/YOURTENANT.... As you can see, the urls do not contain 'microsoftonline.com' anymore and end up on b2login.com instead. You also have to add 'offline_access' to the authorize scope in Cognitio (See: docs.microsoft.com/en-us/azure/act...)
This guy here is a life saver @marcostreng .Follow the steps mentioned above and make sure you add some more things.
1) Add the Application (client) ID of the web app that you created in azure AD B2C
to the authorization scope of oidc config in aws cognito
2) In the attribute mapping in aws cognito add
signInNames.emailAddress and map it to Email attribute of user pool
Hi @virenderabbott1 ,
I was struggling with the same issue. The issuer-url 'login.microsoftonline.com' always ends up in the AAD UI and not to AAD B2C UI (which we want to customize in our case).
After some exhausting hours and with the great help from the AWS Support we were able to find a solution. B2C works with its predefined "User Flows". This flows are nice and easy to setup, but do not provide all endpoints you need with OICD. And this is why you are forced to create custom policies in B2C.
You can follow this steps from the official documentation:
Create custom policies: docs.microsoft.com/en-us/azure/act...
Create the userinfo endpoint: docs.microsoft.com/en-us/azure/act...
Configure Cognito: Beside the issuer url you also have to provide the four OICD endpoints: Authorization, Token, JWKS and Userinfo. All of this required endpoints can be found under YOURTENANT.b2clogin.com/YOURTENANT.... As you can see, the urls do not contain 'microsoftonline.com' anymore and end up on b2login.com instead. You also have to add 'offline_access' to the authorize scope in Cognitio (See: docs.microsoft.com/en-us/azure/act...)
If you want to use custom UI templates you can follow this instructions: docs.microsoft.com/en-us/azure/act...
This guy here is a life saver @marcostreng .Follow the steps mentioned above and make sure you add some more things.
1) Add the Application (client) ID of the web app that you created in azure AD B2C
to the authorization scope of oidc config in aws cognito
2) In the attribute mapping in aws cognito add
signInNames.emailAddress and map it to Email attribute of user pool
3) The issuer url should be in the following format
tenant-name.b2clogin.com/tenant-id...
And when you hit run discovery it will fail and you will get the option to add the oidc endpoints which you get from the url that @marcostreng mentioned ( tenant-name.b2clogin.com/tenant-na... ).
once you add all the corresponding endpoints then create the provider or update the provider and thats it it will work like a charm
Once again a big thanks to @marcostreng for helping me solve this.