Resource owner password flow in Azure AD B2C
One of the hardest things I find is to keep up with what’s happening in Azure, specifically around Identity.
The ROPC flow wasn’t supported for ages and then , by chance, I came across this.
It’s a good article with easy to follow steps and I got it working in Postman.
The flow returns an ID token, an access token and a refresh token.
The id_token is:
Nat Sakimura, the chairman of the OpenID Foundation, has a good video of when you should use this flow.
I see a use for it in unit / integration testing where you want to test an API with the context of a user but you don’t want to physically have to authenticate e.g. in a CI/CD scenario.
But at least now you have the choice!