Getting an access token in Azure AD B2C
There’s a good write-up here.
Let’s go through the steps.
I have an API that’s configured in App Registration called “ToDo API”.
I’ve defined my endpoint (“tasks-api”) at the top and added two scopes.
I have a test application called “Test_B2C”. I’ve added the “tasks.read” permission.
I have a custom policy called “B2C_1A_USERNAME_SUSI”.
When I run it, I select the scopes as below. Note that only the scopes the application has permission to access will be displayed.
The “Run now endpoint” looks like:
Notice the scope:
Now when I log in, I get two tokens; an access token and an ID token.
The access token looks like this:
Notice the scope = “scp”.
The id token looks like this:
Notice there is no scope.
There is a neat trick to getting an access token. It’s described in the link above:
“00000000–0000–0000–0000–000000000000 — Using the client ID as the scope indicates that your app needs an access token that can be used against your own service or web API, represented by the same client ID”.
The URL is then:
&scope=openid offline_access 7bd3...4760
where the scope is the clientID of the application.
This returns both an access and an id token.
The access token then looks like this:
Notice there is no “scp” parameter.