0

Question: What I am trying to perform?
Answer: I am trying to automate the retrieval of Auth Bearer token for API testing

Current Scenario: I have followed this wiki Request Access Token in Postman for Azure AD B2C

I am able to retrieve the Auth Bearer token with Grant Type Implicit. Although, I need to add my username and password in the next step as shown in the image:

enter image description here

If I change the Grant type to Password Credentials to skip manual adding the username and password - the call is successful but it gave an invalid token:

enter image description here

The MFA is enable at the user level. I have created Sign In Sign up flow with MFA Off (although tries both Off and Always On, but it still gave the same invalid token):

enter image description here

How I can bypass the MFA and automate the sign In and retrieve Access Token?

Method 2 : Followed these ROPC way to retrieve the Token

I am able to retrieve the Accesstoken from Postman but If use this token in my Application for REST API calls (Both applications ROPC_Auth App and other application are under the same Tenant B2C), I got an error making a call using this Auth Bearer Token/Access Token : Error Details: enter image description here

Method 3 : If I use the Application/Client ID for the application under the same Tenant which is working manually, I got this error testing the ROPC Flow.

{
    "error": "unauthorized_client",
    "error_description": "AADB2C90057: The provided application is not configured to allow the 'OAuth' Implicit flow.\r\nCorrelation ID: 25661033-61b9-4f59-8358-4cd07ad9b007\r\nTimestamp: 2022-01-13 22:38:52Z\r\n"
}

The troubleshooting part says to change the manifest details, which I did then I got this error

"{

    "error": "invalid_request",

    "error_description": "AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation.\r\nCorrelation ID: 45dcc3bf-74d6-4536-8ab4-d2025dc9ecb0\r\nTimestamp: 2022-01-13 21:58:57Z\r\n"

}"
Aarti Arora
  • 3
  • 1
  • 4
  • Follow [this](https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-user-flow). – Jas Suri - MSFT Jan 11 '22 at 08:55
  • Tried, both ROPC and sign Up Sign in user flow. No success so far. – Aarti Arora Jan 12 '22 at 07:10
  • The solution is ROPC. You need to detail what you’ve done with ROPC and the exact outcome/observations to get more advice. AAD B2C users do not have MFA at user level, it is enforced by the User Flow instead. – Jas Suri - MSFT Jan 12 '22 at 08:42
  • I have tried ROPC, As per the steps mentioned in the wiki: I am able to retrieve token from ROPC_Auth_app but that token is not valid when I am testing the Rest API Endpoints. The error I am receiving is : Bearer error="invalid_token", error_description="The audience '1901ad3b-0a9a-48ac-b4bb-6b38a3dc23d0' is invalid"" – Aarti Arora Jan 13 '22 at 22:31
  • I have added more details in the Question above. Please check . – Aarti Arora Jan 13 '22 at 22:50
  • The error that you are encountering as posted above stating that 'OAuth Implicit Flow' is not configured itself explains that 'oauth2allowimplicitflow' parameter should be set as 'true' in the ROPC_Auth B2C app manifest settings. Also, ensure that 'ProxyIdentityExperienceFramework' app has 'user_impersonation' permissions to 'IdentityExperienceFramework' app also. – Kartik Bhiwapurkar Jan 17 '22 at 07:57
  • As i mentioned above, after chnaging the 'OAuth Implicit Flow" to true in Manifest, it is throwing the error "{ "error": "invalid_request", "error_description": "AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation.\r\nCorrelation ID: 45dcc3bf-74d6-4536-8ab4-d2025dc9ecb0\r\nTimestamp: 2022-01-13 21:58:57Z\r\n" }" – Aarti Arora Jan 21 '22 at 23:13

1 Answers1

0

• I followed the below documentation link thoroughly as a prerequisite to the ROPC (Resource Owner Password Credential) flow which you were trying to do. I successfully requested an access token, refresh token and ID token through Postman by following the below documentation link correctly for using the ROPC_Auth policy as a user flow for an application registered in Azure AD B2C.

Prerequisite Azure AD B2C link: - https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy

ROPC flow Azure AD B2C link: - https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-custom-policy#test-the-ropc-flow

Please find the below snapshots of the successful deployment: -

ROPC_Auth Application in Azure AD B2C

ROPC app

Application Manifest changes: -

ROPC app manifest

Identity Experience framework application in Azure AD B2C: -

Identity Experience framework

Proxy Identity Experience Framework application in Azure AD B2C: -

Proxy Identity Experience framework

ROPC_Auth Policy in Azure AD B2C: -

ROPC_Auth Policy

Before requesting tokens through Postman, ensure to run the user flow through the ‘Signup_signin’ B2C custom policy and create a user through it as this user’s credentials created will only be used later in Postman as Password credentials authentication request.

Postman ROPC request: -

Postman request

Thus, in this way, you can use ‘Password credentials’ flow successfully through Postman to get access token, refresh token and ID token for an application successfully.

Kartik Bhiwapurkar
  • 4,550
  • 2
  • 4
  • 9
  • I got the Authentication token with ROPC, but it is not working for the Application for REST API calls. The error I am getting is "error": "invalid_request", "error_description": "AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation.\r\nCorrelation ID: 45dcc3bf-74d6-4536-8ab4-d2025dc9ecb0\r\nTimestamp: 2022-01-13 21:58:57Z\r\n" – Aarti Arora Jan 13 '22 at 22:02
  • I have added more details in the Question above. Please check . – Aarti Arora Jan 13 '22 at 22:50