21

How can I request an Access Token in Postman against an Azure AD B2C tenant?

new access token screenshot

I tried taking the url from Run Now in the Azure portal and putting that in the Auth Url but that produces the following error:

b2c error

Update

Following Chris's answer, I'm now past the above error. I'm able to sign-in but still can't get an access token:

AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again. Correlation ID: 45c56d47-4739-465f-8e02-49ba5b3a1b86 Timestamp: 2017-11-16 15:27:52Z

spottedmahn
  • 14,823
  • 13
  • 108
  • 178
  • 1
    "AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again. " Azure AD B2C returns this error message if the client secret has expired. And possibly for many other reasons, but it is one thing to check. – Lars Christian Jensen Jun 29 '21 at 13:18

6 Answers6

20

Using @Chris Padgett's answer, I was able to get it working using the Implicit Grant Type (couldn't get it working w/ Authorization Code Gran Type).

Grant Type: Implicit

Callback URL: any URL defined in my B2C app

Auth URL: https://{tenant}.b2clogin.com/te/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize

Client ID: Application ID from my B2C app

Scope: https://{tenant}.onmicrosoft.com/{web api app id uri}/{scope name}

Client Authentication: Either one, it didn't matter

spottedmahn
  • 14,823
  • 13
  • 108
  • 178
  • 3
    Hey, I just wanted to say thanks for documenting all the hard yards with this B2C stuff - everywhere I look for answers I see spottedmahn has already asked the question, done the research and got an answer, usually with success! It's been very useful, far better than trying to figure out Microsoft's (usually) out of date docs on the subject. Kudos. – pcdev Feb 14 '18 at 04:26
  • Hey @pcdev - you're welcome! It takes a community, right! BTW, I tried looking for you on Twitter as not bloat the SO comments. Your comment made my day! Thanks!! – spottedmahn Mar 09 '18 at 14:50
  • 1
    Has anyone got this working where the API that you're trying to test with Postman is server up by Azure functions? I've got the spottedmahn/microsoft approach working for an aspnet MVC app but it's not working an Azure Function App which uses same azure b2c tenant. I'm going to post a separate question for that .... – ubienewbie Mar 15 '18 at 14:28
  • 2
    Hi @ubienewbie - did you post that follow question? If so, can you share the link? Thanks – spottedmahn Dec 07 '18 at 21:41
  • 1
    @spottedmahn: https://stackoverflow.com/questions/49304238/request-access-token-in-postman-for-azure-function-app-protected-by-azure-ad-b2c - cheers! – ubienewbie Dec 07 '18 at 23:49
  • But wanted to mention that I've opened 2 documentation issues @MS related to that: "Documentation "Azure Active Directory B2C: OAuth 2.0 authorization code flow" not in sync with "Use Postman to get a token and test the API"" - https://github.com/aspnet/Docs/issues/10335 - https://github.com/MicrosoftDocs/azure-docs/issues/22164 Furthermore I've recorded an issue regarding "B2C quick-start/tutorial implementation not correct aligned with Set redirect URLs to b2clogin.com for Azure Active Directory B2C" - https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi/issues/48 - – becke-ch Jan 11 '19 at 08:17
7

Getting this setup was a bit of a headache. Here's what I stitched together from the answers in this thread, updated to take advantage of Postman's Grant Type: Authorization Code (With PKCE)

Credit also goes out to https://blogs.aaddevsup.xyz/2020/08/performing-azure-ad-oauth2-authorization-code-grant-flow-with-pkce-in-postman/ for the starting point.

Using: Azure B2C Tenant, JS SPA frontend, Azure Function backend.

Azure Portal (Azure AD B2C)

  • Setup for the SPA and backend is more or less as described in this MS document (Careful, some parts are out of date!) : https://learn.microsoft.com/en-us/azure/api-management/howto-protect-backend-frontend-azure-ad-b2c

  • @ SPA application registration > Authentication blade > Add this value to 'Single-page application Redirect URIs' https://oauth.pstmn.io/v1/callback

  • @ Azure AD B2C | App registrations, click on 'endpoints' (blue globe icon @ top)

  • Record Azure AD B2C OAuth 2.0 token endpoint (v2) and Azure AD B2c 2.0 authorization endpoint (v2)

Postman

  • Authorization: Oauth 2.0
  • Add auth data to: Request Headers

Configure New Token

  • Token Name: WhateverYouWant

  • Grant Type: Auth Code with PKCE

  • CallbackURL: https://oauth.pstmn.io/v1/callback

  • [ ] Authorize using browser (Unchecked)

  • Auth URL: https://< tenant-name >.b2clogin.com/< tenant-name >.onmicrosoft.com/< policy-name> /oauth2/v2.0/authorize

  • Access Token URL: https://< tenant-name >.b2clogin.com/< tenant-name >.onmicrosoft.com/< policy-name >/oauth2/v2.0/token

  • Client ID: < your-SPA-Application-ID-aka-client-ID >

  • Client Secret : < EMPTY >

  • Code Challenge Method: SHA-256

  • Code Verifier: < EMPTY >

  • State: < EMPTY >

  • Scope: something like < tenant name >.onmicrosoft.com/Hello

  • Client Authentication: Send client credentials in body

  • click [Clear cookies] and [Get New Access Token]

IdusOrtus
  • 1,005
  • 1
  • 16
  • 24
  • This doesn't work for me - I at the minimum need to provide a client secret when using auth code with pkce – Gustav Wengel Jun 22 '21 at 11:55
  • @GustavWengel Perhaps you have implicit flow enabled? One of the reasons I prefer working with PKCE is that it does not require submitting a client secret. I confirmed that the above setup works fine with my configuration. Feel free to message me if you'd like to discuss. – IdusOrtus Jun 22 '21 at 12:43
  • 1
    This was a huge help for me. Appreciate the breakdown. I had found the blog post mentioned above but wasn't able to follow it through until I found this SO answer. – jRosenholm Jan 12 '22 at 17:05
  • Worked for me using the browser to authenticate until today when it stopped. – FullStackOverflowDev Jul 17 '23 at 15:09
6

2020-05-26 UPDATE

Microsoft changed the login URL for Azure Active Directory B2C as you can see here.

So @spottedmahn answer has to be updated to:

Grant Type: Implicit

Callback URL: any URL defined in my B2C app

Auth URL: https://{tenant}.b2clogin.com/te/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize

Client ID: Application ID from my B2C app

Scope: https://{tenant}.onmicrosoft.com/{web api app id uri}/{scope name}

Client Authentication: Either one, it didn't matter

NDalvise
  • 88
  • 1
  • 4
  • Hi NDalvise - please feel free to update my answer so we only have one answer for SO users to find the solution quickly – spottedmahn Dec 10 '20 at 04:19
2

For the Auth URL field, you only have to enter the authorization endpoint URL without the query string parameters:

https://login.microsoftonline.com/te/{tenant}/{policy}/oauth2/v2.0/authorize

For the Access Token URL field:

https://login.microsoftonline.com/te/{tenant}/{policy}/oauth2/v2.0/token

For the Callback URL field, you must enter a reply URL that is registered with the Azure AD B2C application, such as:

https://www.getpostman.com/oauth2/callback

For the Scope field, enter "openid" as well as any API access scopes.

For the Client Authentication field, select "Send client credentials in body".

Chris Padgett
  • 14,186
  • 1
  • 15
  • 28
1

I could get B2C Request Access Token in Postman working for both grant types: grant_type=implicit and as well grant_type=authorization_code. I've opened accordingly an issue regarding the MS documentation:

The following changes were necessary:

The only differences between grant_type=implicit and grant_type=authorization_code are that grant_type=authorization_code needs some more parameters as follows:

  • Access Token (access token request) URL: https://login.microsoftonline.com/"tenant-name".onmicrosoft.com/oauth2/v2.0/token?p=B2C_1_"name-of-your-signup-signin-flow"

  • client_secret: generate a key for your application: Azure Portal -> Azure AD B2C -> Applications -> -> Keys -> Generate Key

spottedmahn
  • 14,823
  • 13
  • 108
  • 178
becke-ch
  • 413
  • 4
  • 8
0

I just want to add some extra information for prosperity since I have recently spent way too long trying to resolve an issue relating to the error AADB2C90085 and this question is one of the few results on Google.

Update

Following Chris's answer, I'm now past the above error. I'm able to sign-in but still can't get an access token:

AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again. Correlation ID: 45c56d47-4739-465f-8e02-49ba5b3a1b86 Timestamp: 2017-11-16 15:27:52Z

And:

Using @Chris Padgett's answer, I was able to get it working using the Implicit Grant Type (couldn't get it working w/ Authorization Code Gran Type).

I received this error when using authorization code flow because my B2C_1A_TokenSigningKeyContainer and B2C_1A_TokenEncryptionKeyContainer were incorrectly generated. Once I followed the guide at Get started with custom policies in Azure Active Directory B2C the error stopped occurring.

Relevant excerpt from the link:

Create the signing key

  1. Select Policy Keys and then select Add.
  2. For Options, choose Generate.
  3. In Name, enter TokenSigningKeyContainer. The prefix B2C_1A_ might be added automatically.
  4. For Key type, select RSA.
  5. For Key usage, select Signature.
  6. Click Create.

Create the encryption key

  1. Select Policy Keys and then select Add.
  2. For Options, choose Generate.
  3. In Name, enter TokenEncryptionKeyContainer. The prefix B2C_1A_ might be added automatically.
  4. For Key type, select RSA.
  5. For Key usage, select Encryption.
  6. Click Create.
Anananasu
  • 70
  • 6