'AADB2C90088: The provided grant has not been issued for this endpoint

We are using custom policies for Sign in and reset password in Azure B2C, when user is resetting his password and after doing all the process, when user tries to login using new password and OTP, below error is getting displayed and then user is continuously asked for new access code.

HTTP/1.1 400 Bad Request
Cache-Control: private
Allow: OPTIONS,TRACE,GET,HEAD,POST
Content-Type: application/json; charset=utf-8
x-ms-gateway-requestid: a6264e6b-e73e-45e1-aab9-71c5916e1215
Access-Control-Expose-Headers: Content-Length, Content-Encoding
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: POST, OPTIONS
Set-Cookie: x-ms-cpim-trans=; domain=****; expires=Fri, 02-Sep-2011 12:14:12 GMT; path=/; SameSite=None; secure; HttpOnly
X-Frame-Options: DENY
Public: OPTIONS,TRACE,GET,HEAD,POST
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Date: Thu, 02 Sep 2021 12:14:12 GMT
Content-Length: 296

{"error":"invalid_grant","error_description":"AADB2C90088: The provided grant has not been issued for this endpoint. Actual Value : B2C_1A_MFA_phone_or_email and Expected Value : B2C_1A_PasswordReset\r\nCorrelation ID: ******\r\nTimestamp: 2021-09-02 12:14:12Z\r\n"}

When the user has changed his password and click continue, below requests generated and you can see first token request is successful, but it is again trying for second token request and getting failed with above error. Network logs

What we are expecting here is that user should automatically get logged in, once he reset his password, rather then navigating back to log in screen and asking credentials again.

azure-ad-b2cmsalazure-ad-b2c-custom-policy


Solution 1:[1]

The issue is that you are using the refresh token (RT) from the Password Reset policy to fetch a new token, but you are using the RT against the Sign In policy.

You need to make sure you select the correct Account object in your MSAL cache and use that against the matching B2C policy in your acquireTokenSilent() call.

Solution 2:[2]

You can access accounts in your msal instance with instance.getAllAccounts(), it appears to append any new account object each time you make a loginRedirect invocation. You may need to select the correct account in the array when you pass in the account object to acquireTokenSilent

const accounts = instance.getAllAccounts();
const account = accounts[index];

const authResult = await instance.acquireTokenSilent({
    scopes: config.authentication.scopes,
    account: account
});

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Jas Suri - MSFT
Solution 2

Related Questions

Pass parameters to Sign-up policy

Pass parameters to Sign-up policy

Azure AD B2C with React Native Expo

Is it possible to automatically update B2C user details by using claims from the Issuer, using Identity Experience Framework?

Can I use SVG within a customized the Azure AD B2C user interface?

Azure B2C password field text and placeholder

Looking up users in AAD B2C using extension attributes or unusual standard attributes

Azure AD B2C - Supporting a daemon app along with B2C clients such as Web page and native mobile app

Single Sign Out Not working between OpenID & SAML (Azure AD B2C)

Argo Workflow SSO not working with Azure Active Directory B2C

How to query another Azure Active Directory tenant from Graph Explorer

Azure AD B2C Single Sign Out not signing out all applications when using multiple protocols

404 Not Found error via resource owner password credentials flow in Azure AD B2C

Azure B2C - REST API call Error "Message: The claims exchange <Id> specified in step <order> returned HTTP error response that could not be parsed"

Xamarin.Forms MSAL authentication java.exe exited with code 1