Azure AD B2C - access_token missing

Question

Azure AD B2C - access_token missing

Olivier Ragain 16

Hi,
I've been testing Azure AD B2C and I have setup:
* IDProvider - tested and works
* User Flow
* Application

However, whether I try to do it via the Drupal website, or manually by doing get/post requests to the endpoints, I am unable to obtain an access_token. The answer from the token endpoint for the specific user flow (policy) only contains:
* id_token
* token_type (bearer)
* not_before
* id_token_expires_in
* profile_info
* scope (openid offline_access)
* refresh_token
* refresh_token_expires_in

but no access_token, when decoding the id_token again I only get:
{
"typ": "JWT",
"alg": "RS256",
"kid": "X5eXk4xyojNFum1kl2Ytv8dlNP4-c57dO6QGTVBwaNk"
}.{
"exp": 1603395300,
"nbf": 1603391700,
"ver": "1.0",
"iss": "https://<tenant>.b2clogin.com/GUID/v2.0/",
"sub": "GUID",
"aud": "GUID",
"nonce": "1236",
"iat": 1603391700,
"auth_time": 1603391521,
"idp": "IDP ID",
"given_name": "GN",
"family_name": "FN",
"oid": "my oid",
"emails": [
"my email"
],
"tfp": "policy name / user workflow"
}.[Signature]

Still no access_token.

All the microsoft documentations show access_token but no id_token:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/openid-connect
https://learn.microsoft.com/en-us/azure/active-directory-b2c/access-tokens

Did I miss a step in the configuration of Azure AD B2C for it to add an access_token?

Thanks

3 answers

Your answer

Answer 1

AmanpreetSingh-MSFT 56,951 Moderator

Hi @Olivier Ragain · The response that you get from B2C depends on the response type and scope parameter that you pass in the request.

Please refer to below request to get an access token from Azure AD B2C:

https://your_tenant.b2clogin.com/your_tenant.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_signup_signin&client_id=2c9296bb-xxxx-xxxx-xxxx-30d38790dea1&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=2c9296bb-xxxx-xxxx-xxxx-30d38790dea1&response_type=token&prompt=login

Here, I have updated below parameters to get Access Token:

scope=2c9296bb-xxxx-xxxx-xxxx-30d38790dea1
Response_type=token

Also, make sure that you have enabled Access token for the application whose app id you are passing in the client_id paramter of your request. Refer to below screenshot for this purpose

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Srinivas Ponnada 6 Reputation points

2021-01-13T10:14:15.243+00:00

@AmanpreetSingh-MSFT

We have a similar issue, i.e. not getting access token, even after we enabled access token as suggested by you.

We have an App Service for which AuthN/ AuthZ (Easy Auth) has been enabled.

Issuer URL is set to an Azure AD B2C Custom Policy Sign In URL:

https://myDomain.b2clogin.com/myDomain.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1A_SignUpSignInMyApp

The URL we see in browser during the sign-in flow is:

https://myDomain.b2clogin.com/myDomain.onmicrosoft.com/oauth2/v2.0/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2FMyApp.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=GUID&scope=openid+profile+email&response_mode=form_post&p=b2c_1a_signupsigninmyapp&nonce=42b770dd78a244be89563165fcb40965_20210113100331&state=redir%3D

We keep seeing response_type=code+id_token

Badly in need of help.
House of Giants, LLC 21 Reputation points

2021-03-24T16:46:06.487+00:00

@AmanpreetSingh-MSFT

I'm also experiencing this issue - I am getting an id_token returned, but not an access_token. I need the access_token so I can access the Microsoft Graph API. The id_token returned does not work for Graph authentication - InvalidAuthenticationToken. I've turned on both Access and Id Token support in my App

The URL we are using to request the token is :
https://tenant.b2clogin.com/tenant.onmicrosoft.com/B2C_1_signup_signin/oauth2/v2.0/token?grant_type=authorization_code&code=code&client_id=client_id&redirect_uri=https://jwt.ms&scope=client_id&client_secret=client_secret&response_type=token

I've tried response_type of code, token, id_token, access_token... nothing is returned but id_token

Answer 2

Michael Freidgeim 46

I am following https://learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow#2-get-an-access-token and had the same issue as above: getting an id_token returned, but not an access_token..
I finally found that when I specify ‘openid’ in scope, only ‘id_token’ is returned instead of expected both access_token and id_token.

I am not sure, is it a bug or an expected behavior, that not clearly documented.

@AmanpreetSingh-MSFT , can you advice how it should be reported?

House of Giants, LLC 21 Reputation points

2021-03-30T15:36:01.883+00:00

@Michael Freidgeim Precisely that! If I remove the openid scope, and have client_id and offline_access, it sends back a token. If openid is included, I only receive an id_token.
Michael Freidgeim 46 Reputation points

2021-04-02T21:49:40.277+00:00
According to https://darutk.medium.com/diagrams-of-all-the-openid-connect-flows-6968e3990660

response_type=code
if openid is included in the scope request parameter, an ID token is issued from the token endpoint in addition to an access token.

It looks like a bug.

@AmanpreetSingh-MSFT , is the post here considered as a bug report or there is other channel to report the bug?
Stefan Bley 1 Reputation point

2021-11-01T07:52:59.437+00:00
You might need to append your client id to the scope in order to receive an access token:

client_id: 'xyz', response_type: 'code', scope: 'openid offline_access xyz'
Michael 1 Reputation point

2022-03-03T05:56:38.597+00:00

You have to remember one thing if you want to get access tokens (no matter if via responseType=code or token):
You have put a scope which is pointing to a "resource" either by using the client_id (get access_token to "yourself") or to a scope which is exposed by another appRegistration.
This scope can be combined with openid and/or offline_access.
Peter Weiss 10 Reputation points

2023-01-23T13:31:55.96+00:00

@Michael Freidgeim @Michael Freidgeim

Looks like spec not a bug:

Note that a request for an ID token has to include openid in the scope request parameter. Especially, if openid is not included in scope, the case of response_type=code is regarded as the original authorization code flow defined in RFC 6749 and an ID token won't be issued.

Sorry don't mind my comment above. I just didn't see your comment thread before I commented.

Answer 3

Som Borivong 0

Doing some additional research off this article, if you specify "code" and "id_token" and "token" in the response type, then you will get the authorization code, ID token, and access token in the JWT.

&client_id=00000000-0000-0000-0000-000000000000 &nonce=defaultNonce &redirect_uri=https%3A%2F%2Fjwt.ms &scope=openid offline_access 00000000-0000-0000-0000-000000000000 &response_type=code id_token token &prompt=login

Matthias K 0

If you are using NestJS and passport you've got to add the verify callback.

export class AzureStrategy extends PassportStrategy(OIDCStrategy, 'azure') {
	constructor() {
		super({
			responseType: "id_token code",
			clientSecret: "",
			...
		},
		(
        req: Request,
        iss: string,
        sub: string,
        profile: IProfile,
        access_token: string,
        refresh_token: string,
        done: VerifyCallback,
      ) => {
        console.log(access_token);
        done(null, profile);
      }
	)
	}
}

Share via

Azure AD B2C - access_token missing

3 answers

Your answer