Share via

Exception thrown when using /userinfo in Azure B2C custom policies

Gurpreet0101Singh-9444 70 Reputation points
2025-08-05T09:37:48.7633333+00:00

We have set up oAuth2 idp and for customendpoint we use /userinfo endpoint of the openid IDP.

We are getting exception - AADB2C: An exception has occurred and in the insights the reason shows as "A redirect status code of 302 was returned for a request that does not allow redirects"

We are using oAuth2 and /userinfo endpoint to get claims data using "ClaimsEndPoint" field

<Item Key="ClaimsEndpoint">https://idp.com/oauth2/userInfo</Item>
Microsoft Security | Microsoft Entra | Microsoft Entra External ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Praveen Chivarla 105 Reputation points Microsoft External Staff Moderator
    2025-08-25T12:01:41.2633333+00:00

    Hi @Gurpreet0101Singh-9444,

    Thank you for posting your query on Microsoft Q&A.

    As per our understanding, you are facing an issue with your Azure AD B2C custom policy when calling an OAuth2 IDP’s /userinfo endpoint. The error “A redirect status code of 302 was returned for a request that does not allow redirects” means that the endpoint you’re calling is responding with a redirect (HTTP 302) instead of the expected user information.

    This usually happens because the B2C technical profile is not sending the required access token when calling /userinfo.

    Please try steps below:

    1. Test /userinfo manually
      • Use a tool like Postman or curl to call the /userinfo endpoint directly with a valid access token in the Authorization header:

    curl --request GET "https://idp.com/oauth2/userInfo" --header "Authorization: Bearer {access_token}"

    1. Confirm you receive a JSON response without redirects. If you still get 302, check the IDP’s docs for required scopes or parameters.
    2. Update your B2C custom policy Technical Profile
      • In TrustFrameworkExtensions.xml, locate the technical profile that defines the call to /userinfo.
      • Set the following properties:
      • HttpBinding to GET (or POST if needed by the IDP).
      • AuthenticationType to "Bearer".
      • Include a CryptographicKeys element to specify the access token to send as a bearer token. Example snippet:
    <TechnicalProfile Id="OAuth2-UserInfo">
  <DisplayName>OAuth2 User Info Endpoint</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine">
    <Metadata>
      <Item Key="ServiceUrl">https://idp.com/oauth2/userInfo</Item>
      <Item Key="AuthenticationType">Bearer</Item>
      <Item Key="HttpBinding">GET</Item>
    </Metadata>
    <CryptographicKeys>
      <Key Id="BearerSecret" StorageReferenceId="B2C_1A_OAuth2AccessToken" />
    </CryptographicKeys>
    <OutputClaims>
      <!-- Map expected claims here -->
    </OutputClaims>
  </Protocol>
</TechnicalProfile>
    1. Upload and test your updated policy
      • Deploy your custom policy files through the Azure AD B2C blade.
        • Test the user flow and watch Application Insights logs for the /userinfo invocation and response.

    References

    Please "Accept as Answer" if the answer provided is useful, so that you can help others in the community looking for remediation for similar issues.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.