Getting an access token in Azure AD B2C

Image of key
Wikimedia

There’s a good write-up here.

Let’s go through the steps.

I have an API that’s configured in App Registration called “ToDo API”.

Image showing the “Expose an API” tab with the URI having a “tasks-api” endpoint and two scopes for write and read. The full scope is “https://tenant.onmicrosoft.com/tasks-api/tasks.write”

I’ve defined my endpoint (“tasks-api”) at the top and added two scopes.

I have a test application called “Test_B2C”. I’ve added the “tasks.read” permission.

Image of the application giving permission to use a scope of “tasks.read”

I have a custom policy called “B2C_1A_USERNAME_SUSI”.

When I run it, I select the scopes as below. Note that only the scopes the application has permission to access will be displayed.

Image showing the “Run now” endpoint and the access tokens dropdown for the API showing the selected scopes including “tasks.read”

The “Run now endpoint” looks like:

https://tenant.b2clogin.com/tenant.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_USERNAME_SUSI
&client_id=7bd...760
&nonce=defaultNonce
&redirect_uri=https://jwt.ms
&scope=openid
https://tenant.onmicrosoft.com/tasks-api/tasks.read
&response_type=id_token
token
&prompt=login

Notice the scope:

scope=openid https://tenant.onmicrosoft.com/tasks-api/tasks.read

Now when I log in, I get two tokens; an access token and an ID token.

The access token looks like this:

Image showing the JWT with “scp”: “tasks.read”

Notice the scope = “scp”.

The id token looks like this:

Image showing the JWT. No scope.

Notice there is no scope.

There is a neat trick to getting an access token. It’s described in the link above:

“00000000–0000–0000–0000–000000000000 — Using the client ID as the scope indicates that your app needs an access token that can be used against your own service or web API, represented by the same client ID”.

The URL is then:

https://tenant.b2clogin.com/tenant.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_USERNAME_SUSI
&client_id=7bd3...4760
&nonce=defaultNonce
&redirect_uri=https://jwt.ms
&scope=openid
offline_access 7bd3...4760
&response_type=id_token token
&prompt=login

where the scope is the clientID of the application.

This returns both an access and an id token.

The access token then looks like this:

Image showing the JWT. No scope.

Notice there is no “scp” parameter.

All good!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rory Braybrook

Rory Braybrook

514 Followers

NZ Microsoft Identity dude and MVP. Azure AD/B2C/ADFS/Auth0/identityserver. StackOverflow: https://bit.ly/2XU4yvJ Presentations: http://bit.ly/334ZPt5