Debugging Azure AD B2C 409 errors hidden by production WAFs

by

Summary

An integration issue occurred where Azure AD B2C failed to surface specific error messages from a backend REST API during the user sign-up flow in a Production environment. While the QA environment correctly parsed a 409 Conflict response and displayed the user-friendly error message, the Production environment triggered a generic error code AADB2C90075 and displayed a “Something went wrong” message. This discrepancy suggests a breakdown in the Technical Profile error handling mechanism or a difference in how the network infrastructure (Gateways/WAFs) in Production interacts with the B2C service.

Root Cause

The failure to surface the backend error is typically driven by one of the following factors:

  • Intermediate Proxy/WAF Interference: In Production environments, Web Application Firewalls (WAFs) or API Gateways often intercept 4xx/5xx responses. If the gateway replaces the backend’s JSON body with a generic HTML error page, B2C’s XML parser fails to find the expected JSON schema, resulting in the AADB2C90075 error.
  • Content-Type Mismatches: B2C requires the Content-Type header to be strictly application/json. If the Production gateway modifies this header or fails to pass it through, the B2C REST API handler cannot parse the error payload.
  • Malformed Error Schema: B2C Custom Policies rely on a specific JSON structure defined in the ValidationTechnicalProfile. If the Production API returns a payload that slightly deviates from the schema defined in the XML (e.g., extra nesting or different field names), the parser fails silently and throws a generic error.
  • Compression Issues: If the Production gateway applies GZIP/Content-Encoding to the error response and the B2C engine fails to decompress it before parsing, the body becomes unreadable.

Why This Happens in Real Systems

In modern distributed architectures, “Environment Parity” is often an illusion. This specific issue occurs because:

  • Infrastructure Divergence: QA environments are often “flatter” with fewer security layers. Production environments introduce Deep Packet Inspection (DPI), Load Balancers, and WAFs that act as “Man-in-the-Middle” entities.
  • Silent Failures in Orchestration: Identity Providers like B2C act as orchestrators. When an orchestrator calls a downstream service, it expects a specific contract. If the contract is broken by the network layer, the orchestrator treats the entire call as a Protocol Violation rather than a Business Logic Error.

Real-World Impact

  • User Attrition: Users attempting to register encounter “Something went wrong,” which is indistinguishable from a system outage. This leads to high drop-off rates during the most critical part of the user lifecycle.
  • Increased Support Load: Helpdesk tickets increase as users cannot self-correct (e.g., they don’t know their username is already taken).
  • Debugging Blind Spots: Without proper Correlation IDs passed through the gateway, engineers cannot easily link B2C failures to specific backend logs, leading to high Mean Time To Resolution (MTTR).

Example or Code (if necessary and relevant)

To resolve this, the ValidationTechnicalProfile must be explicitly configured to map the error response elements.


  REST API for User Creation
  
  
    https://api.production.com/v1/users
    ClientCertificate
    Body

How Senior Engineers Fix It

A senior engineer approaches this by isolating the network layers and enforcing strict contracts:

  1. Trace the Payload: Use tools like Fiddler or Postman to simulate the exact call from a Production-like network environment to see if a WAF is stripping the JSON body.
  2. Audit Gateway Headers: Ensure the Production API Gateway is configured to pass-through the Content-Type: application/json and Content-Length headers even during 409 error states.
  3. Enable B2C Diagnostic Logs: Switch Azure AD B2C to “Information” or “Verbose” logging level and use Application Insights to query the traces table for the AADB2C90075 error, looking specifically for the RawResponse metadata.
  4. Defensive XML Configuration: Ensure the ValidationTechnicalProfile defines exactly which JSON keys map to which B2C claims to prevent parsing errors when the body contains unexpected metadata.
  5. Implement Correlation IDs: Force the client application to pass a X-Correlation-ID header. This allows tracing the request from the B2C UI, through the Gateway, to the backend API.

Why Juniors Miss It

  • Focusing Only on Code: Juniors often assume the issue lies in the backend C# or Java logic, whereas the issue is actually in the Network/Infrastructure Contract.
  • Assuming Environment Parity: They assume that because the XML policy is identical in QA and PROD, the behavior must be identical, ignoring the Middleware/WAF layer.
  • Misinterpreting Error Codes: They treat AADB2C90075 as a business error (like “User Exists”) rather than a System/Parsing error (like “I couldn’t read the response from the server”).

Leave a Comment