Azure AD B2C with Zammad


  • Used Zammad version: 2.6.
  • Used Zammad installation source: Installation according to ubuntu tutorial
  • Operating system: ubuntu
  • Browser + version: chrome / internet explorer

Expected behavior:

  • Configuration of generic oauth security settings should enable to login via Azure AD B2C
    Settings where configured as:

Zammad app was registered and appid + password (key) entered in the configuration


Authorization Url:

Token Url:

Actual behavior:

  • Message from oauth2: invalid_credentials (Exceptions::UnprocessableEntity)
    /opt/zammad/app/controllers/sessions_controller.rb:169:in `failure_omniauth’

Steps to reproduce the behavior:

  • Try to configure any azure ad or azure ad b2c account

Did anybody successfully configure azure ad b2c? The same tenant is currently working with 8 different applications. I am not able to make it work with Zammad though…

You are sure that the credentials you provided are correct?

Yes, tried the same keys with different apps over and over again.

Here is my progress so far:

With my first attempt I’ve tried to use the following parameter

Then I quickly realized, that neither an option for scope nor policy is recognized by Azure AD B2C.
I got the following error:

AADSTS90014: The request body must contain the following parameter: 'scope'.

After adding the missing parameters in the authorize url field I came up with the following:

And regardless of user account or client(appid) / app secret, I always get

The user account is 100% correct (otherwise it would fail on the redirected Microsoft page).
The app key was regenerated like 10 times in different versions and combinations. The app id is correct as well.

Being kind of desperate I’ve started to compare the endpoint test url from Azure (to test these login policies) with the one generated out of Zammad’s redirect:


Endpoint simulation in Azure:

Looks alike - even changing the standard redirect uri to b2clogin of Microsoft ended up in the same way.

Any ideas?

I’ve tracked down the redirect urls:


The payload looks like this:
“typ”: “JWT”,
“alg”: “HS256”
“jti”: “26c03df2-079c-4d1b-ba8b-8bcee57143d6”,
“iat”: 1536825189,
“exp”: 1536828789

@MrGeneration does this help?

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.