AzureB2C and User Flows – Unable to retrieve document from: ‘[PII of type ‘System.String’ is hidden

I was playing with AzureB2C & user flows this weekend (yes what better way to spend your weekend!) and encountered a few issues I suspect will bite other people.

Microsoft documentation has improved massively over recent years but whenever I touch AzureB2C/ASP.NET Core Auth stuff I’m always frustrated by the out of date documentation and examples available.

Today was no exception an after an hour or two of playing, swearing, feeling stupid and upgrading examples to .NET 6 I had the basics working and could sign-in to my AzureB2C instance.

I now wanted to add a custom user flow so I followed through the tutorials to set this up and all looked good.

However when I tried to sign in I was greeted with the following error:

IOException: IDX20807: Unable to retrieve document from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. HttpResponseMessage: '[PII of type 'System.Net.Http.HttpResponseMessage' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]', HttpResponseMessage.Content: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.

Here’s a lovely screenshot of it:

This confused me as I’d followed tutorials step by step and this error message really is not very helpful.

The first step to resolving this is to turn off the PII protection in Identity model so you can see what’s going on.

To do this add the below line to startup.cs/program.cs and you will have more info:

IdentityModelEventSource.ShowPII = true;

In my case I could see the problem was the app was trying to download OpenID configuration from a URL that was not accessible any more:

https://login.microsoftonline.com/.onmicrosoft.com/B2C_1_SignUpAndSignIn/v2.0/.well-known/openid-configuration

I assume Microsoft have retired/repurposed login.microsoftonline.com as a way of referencing user flows – perhaps they could have provided some kind of feedback around this if you hit the URL?

But what should the correct URL be?

AzureB2C allows you to test your user flows with a “Run user flow” option. I knew my flow was working as I’d tried this already:

Note if you find when you try to run your user flow that all the options are disabled/greyed out this is because when you created your application registration you didn’t select the third option in Supported account types (ask me how I know):

Silly you!

Of course this clumsy error you made is immediately obvious from the complete lack of information here the Azure Portal will give you here but er moving on..

Anyway on the run user flow section I could see that the config for the user flow was actually located at:

https://<AzureB2C name>.b2clogin.com/<AzureB2C name>.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_SignUpAndSignIn

Anyway at when you Run your user flow you’ll see the URL where this config lives at the top of the pane:

You can go to this URL and you’ll see some lovely JSON with your setup details in – a bit of it looks like this:

I’m configuring my app via appsettings.json so the fix was simply in the AzureB2C configuration section to change the instance property from:

"Instance": "https://login.microsoftonline.com/"

To:

"Instance": "https://<Azure B2C name>.b2clogin.com/"