Kevin Beye avatar image
Kevin Beye asked

Open ID connect issuer configuration mismatch

I am currently doing some R&D work for some future games me and some friends want to develop, and one that was for sure is that we wanted users to easily access games with their own user accounts from our studio, which is a reason why we wanted to implement an OpenID connect provider to our games through PlayFab.

Since my own knowledge comes from cloud providers, I chose to add Azure AD B2C as the OpenID provider, which on the Unity side (the engine I'm using) works fine, I'm able to open a webpage inside the app, let the user login, and return with the access token. Now when I'm trying to execute the login with open id (I'll follow with a code example), I get the error that it can't get the configuration as required. Which, if you check the URL they used, is understandably incorrect.

My login code:

LoginWithOpenIdConnectRequest req = new LoginWithOpenIdConnectRequest
  ConnectionId = "Azure B2C", // <-- the name of my OpenID configuration
  TitleId = "my title ID",
  IdToken = "my id token" 
PlayFabClientAPI.LoginWithOpenIdConnect(req, result =>
}, error =>

Simple login code that does not really do anything weird here. On the PlayFab admin portal however... what I found out is that when you enter the Issuer (a.k.a. where the configuration comes from) the URL gets cut off, which before it's cut/altered works, but after is an unknown resource...

"https://{TENANT}{TENANT}{POLICY}/v2.0/.well-known/openid-configuration" becomes "https://{TENANT}{ID}/v2.0/"

One thing to note, is that the original URL is a Azure AD B2C OpenID Connect-doc with metadata, whilst the one it saves as in the end is Azure AD OpenID Connect-doc with metadata.

Kinda stuck with this issue, some help would be amazing <3

Able to reply with more specifics if needed :) I just hope this sketches the problem.

Account ManagementAuthentication
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

JayZuo avatar image
JayZuo answered

The first URL "https://{TENANT}{TENANT}{POLICY}/v2.0/.well-known/openid-configuration" is the Discovery document URL. While the second URL "https://{TENANT}{ID}/v2.0/" is the actual Issuer. Thus, the information displayed in Game Manager is right.

The problem here is that PlayFab expects the metadata is available at the path formed by concatenating the string "/.well-known/openid-configuration" to the Issuer. However, Azure AD B2C doesn't follow the protocol.

To work around this issue, you can try with Admin APIs like Admin/CreateOpenIdConnection to set up the OpenId Connection. With the APIs, we can provide IssuerInformation directly instead of using discovery document URL.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Kevin Beye avatar image Kevin Beye commented ·

Going to try this straight away, if this helps you're my man!

0 Likes 0 ·
Kevin Beye avatar image Kevin Beye commented ·

First of all, thanks a lot!
Currently only done Android, but it works like a charm after you specify the IssuerInformation. Could you let me know how you found out this could work?

0 Likes 0 ·
JayZuo avatar image JayZuo ♦ Kevin Beye commented ·

We have a customer used Azure AD B2C before and they shared a sample here:

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.