Is OIDC Publish tier supported by Azure ADB2C?

@santoshsai @pranay_m @sureshdhulipudi @briankasingli @hrishikeshkagne @shubham_borole @a_h_m_imrul @rahulpandey27, when you get a chance, could you review this question? Your input would be greatly appreciated!

Yes, the native OIDC authentication handler in AEMaaCS works with external providers like Azure AD B2C, but the error you're seeing usually happens because the issuer returned in the OIDC metadata does not match the baseUrl expected by AEM.

In Azure AD B2C the issuer often looks like:

https://tenant.b2clogin.com/<tenant>/v2.0/

while the well-known configuration may be discovered using a policy path:

https://tenant.b2clogin.com/<tenant>/<policy>/v2.0/.well-known/openid-configuration

Because AEM validates the issuer strictly, this mismatch can trigger the error you posted.

AEM’s OIDC handler relies on the metadata discovery endpoint and expects the issuer to match the connection configuration exactly.

I documented the full AEM OIDC authentication flow and configuration (including metadata discovery and callback behavior) here: https://medium.com/@shiftsaas/implementing-id-me-openid-connect-oidc-with-aem-as-a-cloud-service-939c0b3e3553

Hi ​@thiagosilvagauge 

1. Is Azure AD B2C supported on OIDC Publish?
Yes. The OIDC support on AEM as a Cloud Service Publish works with any standards‑compliant OIDC provider, including Azure AD B2C. The doc uses Entra ID (Azure AD) as the main example, but the feature is not limited to it.
2. Why the "issuer doesn't match the expected" error?
The error:  The returned issuer doesn't match the expected: https://apexbrasilb2cdev.b2clogin.com/[tenant]/
means the Nimbus OIDC client in AEM is enforcing the spec:
the issuer value in the discovery document must exactly match the issuer/baseUrl configured in AEM.
In your B2C .well-known doc you have:

"issuer": "https://apexbrasilb2cdev.b2clogin.com/[tenant]/v2.0/"

but AEM expects:

https://apexbrasilb2cdev.b2clogin.com/[tenant]/

So AEM's expected issuer and B2C's actual issuer differ by v2.0/, hence the exception.

3. what to change
In your OIDC connection config for Publish:

• Set the issuer/base URL to exactly what B2C returns in the .well-known file, including v2.0/ and the trailing slash, e.g.:

  issuer / baseUrl = https://apexbrasilb2cdev.b2clogin.com/[tenant]/v2.0/
  

  Do not leave it as just .../[tenant]/ and do not add the policy here.

• Use the policy only in the discovery URL, for example:

  discovery URL = https://apexbrasilb2cdev.b2clogin.com/[tenant]/[custom_policy]/v2.0/.well-known/openid-configuration
  

  AEM will read authorization_endpoint, token_endpoint, etc. from that document.

• Redeploy the config (or restart the bundle) and retry login. The issuer check should then pass.

If you still see the same error after this, re‑check that:

• There is no extra slash or missing v2.0 in the configured issuer.
• You're really using the same .well-known URL you inspected in the browser.