Reputation: 4823
Azure B2C: Microsoft Graph API - InvalidAuthenticationToken
I'm trying to call /me on the Microsoft Graph API after logging into an Azure B2C Active Directory from iOS.
Using the sample application at: https://github.com/Azure-Samples/active-directory-b2c-ios-swift-native-msa I've replaced the constants such that sign-up and sign-in work. I've set the kGraphURI to https://graph.microsoft.com/v1.0/me. The code looks like this:
let kTenantName = "mytenant.onmicrosoft.com"
let kAuthorityHostName = "mytenant.b2clogin.com"
let kClientID = "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
let kSignupOrSigninPolicy = "B2C_1A_signup_signin"
let kGraphURI = "https://graph.microsoft.com/v1.0/me"
let kScopes: [String] = ["https://mytenant.onmicrosoft.com/api/user_impersonation"]
The value for kScopes is set to the only API my application has available, which was created as part of the instructions for setting up user policies.
When I try to call https://graph.microsoft.com/v1.0/me I get back:
{ "error": { "code": "InvalidAuthenticationToken", "message": "Access token validation failure.", "innerError": { "request-id": "e923673f-25cb-44be-b3b9-94eda660d4f6", "date": "2020-02-11T08:31:24" } } }
If I try to set kScopes to https://graph.microsoft.com/User.Read I get an error:
Could not acquire token: Error Domain=MSALErrorDomain Code=-50000 "(null)" UserInfo={MSALErrorDescriptionKey=Authentication response received without expected accessToken, MSALInternalErrorCodeKey=-42008, MSALCorrelationIDKey=FFCCD1D4-F0C8-46E6-85B2-A5642F1D4E1D}
How do I call the /me Microsoft Graph API with an access token from Azure B2C Active Directory?
Upvotes: 1
Views: 2085
Answers (1)
Reputation: 11335
You cannot use the Azure AD B2C issued access tokens to call Azure AD or Microsoft Graph API. You must have the user call your API, and your API needs to use client_credentials to obtain a token for Graph API using the Azure AD token endpoint of your B2C directory. Then the API can query Graph API for the user and return the result.
Azure AD B2C access tokens can only be used to access your own protected resources.
Upvotes: 6
Related Questions
- invalid_grant error when obtaining access token
- MS Graph api user authentication failing
- Microsoft Graph client error : Authentication challenge is required error
- Call Microsoft graph API using Azure B2C
- Azure B2C sign in using Graph API
- Azure AD B2C Graph API 401 Unauthorized
- Azure B2C - Use msal to get authorization to call Graph API
- Azure AD B2C Token Issue
- Azure ad and Azure ad b2c token validation failure
- Azure AD B2C - Microsoft Graph API - Authorization_IdentityNotFound