Resource owner password flow in Azure AD B2C

One of the hardest things I find is to keep up with what’s happening in Azure, specifically around Identity.

The ROPC flow wasn’t supported for ages and then , by chance, I came across this.

It’s a good article with easy to follow steps and I got it working in Postman.

The flow returns an ID token, an access token and a refresh token.

The id_token is:

Nat Sakimura, the chairman of the OpenID Foundation, has a good video of when you should use this flow.

Scott Brady discussed why you don’t need it for browser-less devices now that the Device Flow is available. (And further thoughts on why is not authentication nor suitable for Modern Applications).

I see a use for it in unit / integration testing where you want to test an API with the context of a user but you don’t want to physically have to authenticate e.g. in a CI/CD scenario.

But at least now you have the choice!

All good!