Dynamics 365 Portal and Azure AD B2C Register Time Out
Jordan Hohepa, 12 June 2020
We recently used Azure AD B2C to handle the Sign-In and Sign-Up functionality for a Dynamics 365 Portal. We ran into an issue with the Sign-Up page where a Portal User would fill in all their details, but their account would not be fully created.
We found that the B2C Sign-Up page was creating the B2C User Account as expected, but the connected Contact was not being created in Dynamics 365. Upon digging deeper into the portal logs, we found the following error.
- “Message:Exception during OpenIdConnect or Azure Authentication in Microsoft.IdentityModel.Protocol.Extensions: IDX10311: RequireNonce is 'true' (default) but validationContext.Nonce is null. A nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'.;”
It turns out that by default there is a nonce cookie that gets created when the Dynamics 365 Portal is redirected to B2C and this has an expiration time of 15 minutes. Once this expires, B2C fails to authenticate back with the Dynamics 365 Portal and is unable to create a Contact for the Portal User. Unfortunately, this expiration time cannot be changed out of the box.
After talking with Microsoft, they were able to add a new Site Setting in Dynamics 365 which allowed us to update the expiration time. You can see this new setting in the screenshot above. We needed to replace [provider] with our B2C provider.
This nonce cookie should be taken into consideration when using a Dynamics 365 Portal with Azure AD B2C as it’s not easily updateable without the help of Microsoft.