Azure B2C Custom Policies: Invalid Request, client secret error

Question

I have an Azure B2C Custom Policy to sign up. And when I try to get a refresh token I receive this error:

{"error":"invalid_request","error_description":"AADB2C90079: Clients must send a client_secret when redeeming a confidential grant.\r\nCorrelation ID: 776e4226-467b-4648-b7f7-a9c09715fd68\r\nTimestamp: 2017-10-31 21:12:56Z\r\n"}

I'm logging in using this url:

https://login.microsoftonline.com/<MyTenant>.onmicrosoft.com/oauth2/authorize?
p=B2C_1A_signup_signin
&client_id=<MyB2CAppID>
&nonce=defaultNonce
&redirect_uri=http%3A%2F%2Flocalhost%3A4200
&scope=openid+offline_access
&response_type=code
&prompt=login

With the code obtained from the previous url I try to get the access token with this url:

https://login.<MyTenant>.com/exob2ctest.onmicrosoft.com/oauth2/v2.0/token?
p=B2C_1A_signup_signin
&grant_type=authorization_code
&client_id=<MyB2CAppID>
&redirect_uri=urn:ietf:wg:oauth:2.0:oo
&code=<MyCode>
&scope=openid%20offline_access
&client_secret=<MyB2CAppSecret>

After that I'm receiving the error. I'm using on the client_secret parameter the key generated on the B2C application referenced in client_id. When I tried this with buildt-in policies I get the refresh token without problems. Could it be something missing on my custom policies?

Thanks in advance!

Answer 1

You need to send your request to the /token endpoint as a POST request with the policy parameter as a query string parameter and the rest in the the x-www-form-urlencoded body.