AAD B2C login redirect loop

When using Azure Active Directory B2C (AAD B2C) for authentication in Power Pages (formerly Power Apps portals), a common issue that can arise is a login redirect loop. This typically occurs when the authentication process does not complete successfully and causes the user to be stuck in a loop of redirects, preventing access to the desired page. This can be frustrating, as it creates a poor user experience and prevents proper login.

Here’s a step-by-step troubleshooting guide to resolve this issue:

---

Step 1: Understand the Redirect Loop Cause

A redirect loop usually happens when:

1. The user’s session is not properly established after successful authentication.
2. The redirect URI or configuration is incorrect, causing the browser to continuously attempt login.
3. Token issues prevent the proper completion of the authentication process.
4. Access control settings might be misconfigured, requiring re-authentication or redirecting to an unauthorized page.

---

Step 2: Check AAD B2C Authentication Configuration

A. Verify the Redirect URI in AAD B2C

Ensure that the redirect URI configured in Azure AD B2C matches the one expected by Power Pages.

1. Go to Azure AD B2C in the Azure portal.
2. In Azure AD B2C, navigate to App Registrations > Your App (the app associated with the portal).
3. Under Authentication, ensure the Redirect URIs are set correctly. The URI should look something like:
   https://<your-portal-name>.powerappsportals.com/_services/auth/callback This must match the URL where the portal expects to handle the callback after authentication.
4. If there are any extra paths or query parameters in the Redirect URI settings, remove them to ensure the URI matches exactly.

---

Step 3: Review Portal Authentication Settings

A. Verify External Identity Provider Configuration

1. In Power Pages, navigate to Portal Management > Authentication.
2. Select the Identity Provider you are using for AAD B2C.
3. Ensure that:
   • The Client ID and Client Secret are correctly configured.
   • The Callback URL (also known as Redirect URI) points to the correct value, as set in the AAD B2C configuration (refer to Step 2A).
4. Double-check if any additional configuration (e.g., scopes, policies) is needed for AAD B2C integration.

B. Review Custom Policies (If Used)

If you are using custom policies for your AAD B2C setup (for example, custom sign-in or sign-up experiences):

1. Ensure the custom policies are configured correctly and don’t cause an unexpected loop.
2. Verify the orchestration step in the custom policy that handles redirects.
   • If a step redirects to a page that expects the user to log in again, it can cause the loop.

---

Step 4: Clear Browser Cache and Cookies

Sometimes, the login redirect loop is caused by stale cookies or session tokens stored in the browser.

1. Clear the browser’s cookies and cache.
   • This will ensure that the browser starts with a fresh session and resolves any issues related to expired or invalid sessions.
2. Try accessing the portal again in incognito mode or use a different browser to rule out cache-related issues.

---

Step 5: Check Portal Access Control Settings

Misconfigured access control settings in Power Pages could also trigger a redirect loop, especially if a page requires specific authentication or roles.

A. Review Web Role and Page Permissions

1. Go to Portal Management > Web Roles.
2. Ensure the user has the appropriate web roles assigned.
3. Verify the page permissions for the page that causes the redirect loop.
   • If the page requires an authenticated user and the web role or permissions are not set correctly, users might be repeatedly redirected to the login page.

B. Set Default Landing Page After Login

Make sure the portal is configured to redirect users to a specific page after login, instead of going back to the login page again.

1. In Portal Management, navigate to Web Pages and check the page’s redirect URL setting.
2. Set a default page for users after login (e.g., the home page or a dashboard page).

---

Step 6: Enable Diagnostic Logging

Enable trace logs in Power Pages to capture detailed information about what’s happening during the authentication process.

1. In Portal Management, navigate to Site Settings.
2. Add the following site setting:
   • Name: EnableTraceLogs
   • Value: true
3. Once enabled, review the logs to look for errors related to AAD B2C login and redirection.

The logs may show details about authentication failures or misconfigurations, which can help identify the source of the redirect loop.

---

Step 7: Check Session Timeout and Token Expiry

A common cause of redirect loops is token expiration or session timeouts. Ensure that the tokens provided by AAD B2C are not expiring too quickly.

1. Check the token lifetime settings in Azure AD B2C.
   • Make sure the tokens have a reasonable expiry period.
2. If the token expires during the authentication process, the user will be redirected to the login page again.

If necessary, adjust the session timeout settings in AAD B2C or configure token renewal so the session remains active during the process.

---

Step 8: Test with a Different Identity Provider

To narrow down whether the issue is with the AAD B2C configuration or the integration with Power Pages, try configuring a different identity provider (e.g., Azure AD, Facebook, or Google).

1. Set up a test identity provider in Portal Management.
2. Test logging in with the new provider to check if the redirect loop persists.

If the loop only occurs with AAD B2C, then the issue is likely with the AAD B2C configuration or its integration with Power Pages.

---

Step 9: Check for Network and Security Restrictions

In some cases, network configurations, such as firewalls or proxy servers, may interfere with the redirection process.

1. Ensure that your network settings allow communication with Azure AD B2C endpoints.
2. Verify that there are no security policies blocking the redirect URI or the authentication callback.

---

Step 10: Recheck Custom JavaScript or Custom Code

If you have implemented any custom JavaScript or logic related to authentication (e.g., in the login page or a custom page), ensure that it’s not causing an unintended redirect.

1. Review the JavaScript code for potential infinite redirect loops or conflicting logic with the AAD B2C flow.
2. Temporarily disable or comment out custom JavaScript to see if the issue resolves.