Azure B2C client credentials grant

Question

I’ve implemented Azure B2C for user login/logout and can get the id_token and pass it to my web API for authorization, all works well. Now, I have some Web API methods that should be only accessed by the client web application (ASP.NET 4.6) which means OAuth 2.0 "client credentials grant". I’ve done a lot of research and the closest I could find is this quick-start which uses ADAL in a B2C application to call Graph API.

I followed along and got to the point where I’m trying to get the client access token as in the below code. However, no matter what I pass to the AcquireToken method as the resource I keep getting an error that the application name I’m passing doesn’t exist in the tenant. I’m actually not sure what should I pass, since in the B2C world you do not register your Web API as an application but rather you have one application ID for all your Apps.

Is the above scenario supported, and how can I do it?

public async Task<string> SendGraphGetRequest(string api, string query)
{
    // First, use ADAL to acquire a token by using the app's identity (the credential)
    // The first parameter is the resource we want an access_token for; in this case, the Graph API.
    //*** In my case I want to replace the graph API URL with my own WebAPI
    AuthenticationResult result = authContext.AcquireToken("https://graph.windows.net", credential);

Answer 1

See this link that describes the Azure Active Directory B2C limitations. The quick-start you referenced is using the client credentials grant, which is not yet supported in Azure AD B2C.

Under the section Daemons / server-side applications it reads:

"Applications that contain long-running processes or that operate without the presence of a user also need a way to access secured resources, such as Web APIs. These applications can authenticate and get tokens by using the application's identity (rather than a consumer's delegated identity) in the OAuth 2.0 client credentials flow. This flow is not yet available in Azure AD B2C, so for now, applications can get tokens only after an interactive consumer sign-in flow has occurred."

I believe this feature (oauth client credentials grant type support) is on the B2C roadmap and when it is released, the steps in that quick start should work.

Answer 2

It is a well documented limitation, I have created user voice request on the feedback portal.

You can vote it and wait for the Development Team to implement it.

Answer 3

It is now possible to use OAuth2 Client Credentials grant type with Azure ADB2.

Although the OAuth 2.0 client credentials grant flow is not currently directly supported by the Azure AD B2C authentication service, you can set up client credential flow using Azure AD and the Microsoft identity platform /token endpoint for an application in your Azure AD B2C tenant. An Azure AD B2C tenant shares some functionality with Azure AD enterprise tenants

Here is a sample curl request:

    curl --location --request POST 'https://login.microsoftonline.com/{client-id-of-app-registered-in-b2c}/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: x-ms-gateway-slice=prod; stsservicecookie=ests; fpc=AmqL7OwikMNGgdpvjdkb0OLnguDtAQAAABl14NYOAAAAd_wwNgEAAABCeeDWDgAAAA' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_secret={secret-of-app}' \
--data-urlencode 'client_id={client-id-of-app-registered-in-b2c}' \
--data-urlencode 'scope=https://graph.microsoft.com/.default'

Note that the parameters are encoded in the body.

Answer 4

It looks likes Client Credentials flow is now available in b2c without going back to AAD endpoint. This makes life way easier