Reputation: 155
Azure ADB2C request token for service
Context
I understand Azure AD B2C has a limitation on the oauth2 client_credentials flow, but I've seen that it is possible to request the token agains the AD instead of AD B2C.
For what I understand this is a change on the authority domain, so instead of using:
https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token
We should use:
https://login.microsoftonline.com/032bba1a-4a23-41d0-8713-69ad1a38cf69/oauth2/v2.0/token
Problem
My problem is that if I add a scope to it, like https://graph.microsoft.com/openid/.default or other from a different application (which is the one I intend to use) https://{tenant}.onmicrosoft.com/backendtestapi/api/.default, I get this error:
AADSTS500011: The resource principal named https://graph.microsoft.com/openid was not found in the tenant named xxxxx-xxxxx-xxxxx-xxxxx. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant
I'm not understanding why there's an error If I request this scopes. Can anyone enlighten me please?
Thanks a lot!
Upvotes: 0
Views: 396
Answers (1)
Reputation: 16438
Please note that Microsoft Graph is the official API whose scope has a fixed writing format https://graph.microsoft.com/.default for V2.0.
Changing https://graph.microsoft.com/openid/.default to https://graph.microsoft.com/.default can resolve this issue and you will get an access token for calling Microsoft Graph API.
If you has your own custom Web API which requires client credentials flow, you should expose the API in your API app registration by following Exposing application permissions (app roles). And then configure the application permission in your client app registration by following Add permissions to access your web API.
After that you could get the scope format. Typically it's api://{app id of the API app registration}/.default. If you customize the Application ID URI of API app registration as https://{tenant}.onmicrosoft.com/backendtestapi/api/, then the scope should be https://{tenant}.onmicrosoft.com/backendtestapi/api/.default.
But there is an important thing you need to understand. It's that since client credentials flow issues an application token without user, it has nothing to do with B2C authentication in this case. In other words, you just 'borrow' the B2C tenant to create the app registration. B2C is not used for identity authentication.
BTW, application permission usually requires admin consent. Don't forget to click on "Grant admin consent for {your tenant}" on client app registration or use the adminconsent endpoint to do it.
Upvotes: 1
Related Questions
- Request Access Token in Postman for Azure AD B2C
- Azure-AD-B2C Token format
- Azure AD B2C Graph API 401 Unauthorized
- Using modern Azure AD B2C Library to get an access token for API pass through
- Azure AD B2C: Unable to get token with authorization code
- Authenticating as a Service with Azure AD B2C
- Error when obtaining token
- Azure AD B2C Token Issue
- Azure AD B2C returns AADSTS70000 error on token request
- Azure B2C - Failed to acquire token silently