client_secret not required on refresh token azure b2c

Question

I have an azure b2c application. When I create a user through the Users application in portal.azure.com (or making a post request with postman) I have to send the client_secret of my b2c app to refresh a token. But with users created through Powershell with the azureAD module I have an error saying that I shouldn't send the client_secret.

{
    "error": "invalid_request",
    "error_description": "AADB2C90084: Public clients should not send a client_secret when redeeming a publicly acquired grant.\r\nCorrelation ID: 39abec35-770c-42e6-bd65-438d6501a124\r\nTimestamp: 2018-04-09 14:43:13Z\r\n"
}

Why is that difference? How can I do to create a user that not requires the client_secret using the graph api?

Thanks in advance! Germán

I don't quite understand the problem. You mean you get this error if you try to login? The error message itself is pretty clear, you don't use client secrets in public clients, such as a PowerShell module. — juunas, Apr 09 '18 at 18:32

Wayne Yang · Accepted Answer · 2018-04-12T05:10:09.090

According to the error message, I assume that the App that you're using is a Native app (as juunas said, Powershell is also a native app), which also called public client in Oauth. client_secret is only required when your application is Web App/API,which also called confidential client in Oauth.

Refreshing the access tokens with Native App:

// Line breaks for legibility only

    POST /{tenant}/oauth2/token HTTP/1.1
    Host: https://login.microsoftonline.com
    Content-Type: application/x-www-form-urlencoded

    client_id=6731de76-14a6-49ae-97bc-6eba6914391e
    &refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq...
    &grant_type=refresh_token
    &resource=https%3A%2F%2Fservice.contoso.com%2F

NOTE: The application secret that you created in the app registration portal for your app. It cannot be used in a native app (public client), because client_secrets cannot be reliably stored on devices. It is required for web apps and web APIs (all confidential clients), which have the ability to store the client_secret securely on the server side.

So, you can just delete the client_secretin the request body to resolve that.

Additional, Azure AD B2C doesn't support client_credentials flow. See details about this here.

Hi! Thanks! I know now that when I generate a refresh token without client secret I can refresh my tokens without passing the client secret on the request. — Germán Svriz, Apr 17 '18 at 17:49

client_secret not required on refresh token azure b2c

1 Answers1