Do different user flows on Azure AD B2C use the same token signing keys?

Different standard user flows in an Azure AD B2C tenant (sign-in, sign-up, password reset, profile edit, etc.) expose separate OpenID Connect metadata endpoints and jwks_uri values that include the user flow name in the URL. For example, a sign-in flow b2c_1_sign_in has its own metadata document and corresponding jwks_uri:

https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/b2c_1_sign_in/v2.0/.well-known/openid-configuration
...
https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/b2c_1_sign_in/discovery/v2.0/keys

These endpoints are per–user flow so that each flow has its own configuration document, but within a tenant they resolve to the same underlying signing key material for validating ID tokens. The user flow name is used for discovery and configuration (and is also present in the acr claim of the token), not to indicate a different signing key per flow.

This behavior is consistent with the documented model: there is a JSON metadata document for each user flow, and applications determine which metadata (and thus which jwks_uri) to use based on the user flow that issued the token, but token validation is performed against the tenant’s signing keys, which are shared across flows.

References:

• Single-page application sign-in using the OAuth 2.0 implicit flow in Azure Active Directory B2C
• Web sign in with OpenID Connect in Azure Active Directory B2C
• User flows and custom policies overview
• Azure AD B2C: Authentication protocols