Microsoft Entra Ad B2C, Epic Games and Riot games as IDP

Question

Microsoft Entra Ad B2C, Epic Games and Riot games as IDP

Tiago C 20

Following the the examples of the IDPs in this list https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-identity-provider, I have setup 4 different IDPs with custom policies.
Currently I am looking into setting up Riot Games and Epic Games, I noticed there is no official documentation on it.
Is there documentation on how to do the claim provider setup for IDPs that are not in the list ?

1 answer

Your answer

Answer 1

Hi @Tiago C , you can accomplish this with custom policies in Azure AD B2C.

You'll need to register your application in the developer portals for Riot Games and Epic Games. Once you've done that, you'll get a Client ID, Client Secret, and the necessary endpoints for authorization and token.

Next, you'll create a metadata file for each provider. This file will include all the details like your Client ID, Client Secret, and the endpoints you got earlier. Here's an example:

<Metadata>
  <Item Key="client_id">Your_Riot_Games_Client_ID</Item>
  <Item Key="client_secret">Your_Riot_Games_Client_Secret</Item>
  <Item Key="authorization_endpoint">https://auth.riotgames.com/authorize</Item>
  <Item Key="token_endpoint">https://auth.riotgames.com/token</Item>
  <Item Key="scope">openid profile email</Item>
</Metadata>

Then, you'll need to create custom policies. If you haven't already, you can grab a starter pack for custom policies from the Azure AD B2C GitHub repository. This pack includes base files like TrustFrameworkBase.xml, TrustFrameworkExtensions.xml, and SignUpOrSignIn.xml.

In the TrustFrameworkExtensions.xml file, you'll define a technical profile for each new IDP. Here’s an example of what you might add for Riot Games:

<TechnicalProfile Id="RiotGames-OAUTH">
  <DisplayName>Riot Games</DisplayName>
  <Protocol Name="OAuth2" />
  <Metadata>
    <Item Key="client_id">Your_Riot_Games_Client_ID</Item>
    <Item Key="client_secret">Your_Riot_Games_Client_Secret</Item>
    <Item Key="authorization_endpoint">https://auth.riotgames.com/authorize</Item>
    <Item Key="token_endpoint">https://auth.riotgames.com/token</Item>
    <Item Key="scope">openid profile email</Item>
  </Metadata>
  <InputClaims />
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub"/>
    <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name"/>
    <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email"/>
  </OutputClaims>
</TechnicalProfile>

After that, you’ll add a claims provider entry in the same TrustFrameworkExtensions.xml file:

<ClaimsProvider>
  <DisplayName>Riot Games</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="RiotGames-OAUTH" />
  </TechnicalProfiles>
</ClaimsProvider>

You'll also need to reference the new IDP in your SignUpOrSignIn.xml file:

<ClaimsProviderSelections>
  <ClaimsProviderSelection TargetClaimsExchangeId="RiotGamesExchange" />
</ClaimsProviderSelections>
<ClaimsExchanges>
  <ClaimsExchange Id="RiotGamesExchange" TechnicalProfileReferenceId="RiotGames-OAUTH" />
</ClaimsExchanges>

Once you’ve got all that set up, deploy the custom policies through the Azure portal. Then, you can test the sign-in and sign-up processes to make sure users can authenticate using Riot Games and Epic Games.

If you need more detailed guidance, you can always check out the Azure AD B2C custom policy documentation and sample repositories on GitHub. They have some great examples to help you get started.

Please let me know if you have any questions and I can help you further. If this answer helps you please mark "Accept Answer" so other users can reference it. Thank you, James

Tiago C 20 Reputation points

2025-04-24T09:39:34.5266667+00:00

Hi James.
The above seems to somewhat work, but I get the following error:
https://auth.riotgames.com/auth-error?error=invalid_request&country=prt&error_description=The+redirect_uri+is+not+registered

From what I understand it is complaining about the lack of a redirect uri defined on the riot games app.
So I added the following item

<Item Key="redirect_uri">https://tenant.b2clogin.com/tenant.onmicrosoft.com/oauth2/authresp</Item>

From the Riot documentation it seems to be a needed https://beta.developer.riotgames.com/sign-on
(sorry for taking so long to reply to this, getting an app verified on Riot Games took a couple months)

The above did not fix my current issue.
Tiago C 20 Reputation points

2025-04-24T11:15:41.05+00:00

An update on the above. I have google, apple and microsoft setup on the custom policy aswel and I have noticed on the authorize url that the redirect uri for all of these is :

Google:
https://accounts.google.com/o/oauth2/auth?client_id=[clientI]d&redirect_uri=https%3a%2f%2ftenant.b2clogin.com%2ftenant.onmicrosoft.com%2foauth2%2fauthresp&response_type=code&scope=email+profile&state=StateProperties%3d[token]

Riot Games:
https://auth.riotgames.com/authorize?client_id=[clientId]&redirect_uri=https%3a%2f%2ftenant.b2clogin.com%2ftenant.onmicrosoft.com%2fb2c_1a_extensions%2foauth2%2fauthresp&response_type=code&scope=openid+offline_access&state=StateProperties%3d[token]

So, as far as I can tell the issue seems to be with the redirect_uri. Instead of being the usual url-encoded string -> https%3a%2f%2ftenant.b2clogin.com%2ftenant.onmicrosoft.com%2foauth2%2fauthresp

It is this one -> https%3a%2f%2ftenant.b2clogin.com%2ftenant.onmicrosoft.com%2fb2c_1a_extensions%2foauth2%2fauthresp

any idea why this would be the case ?
this is my setup :

Share via

Microsoft Entra Ad B2C, Epic Games and Riot games as IDP

1 answer

Your answer