I have a B2C tenant, an app registered, and the built in user flows set up. When I sign in as one of the users on the client app and go through the edit profile flow, the user's information is updated on Azure's side but not on the client side. The only way I've been able to get the updated information on the client side is to logout of the client application and log back in. Obviously, this is not ideal. A few ideas that I thought have potential are
- using the refresh token to get new tokens (I thought maybe that would have the updated user data as well)
sending the request to https://tenantname.b2clogin.com/tenantname.onmicrosoft.com/thesignupflow/oauth2/v2.0/token
returns all the new tokens, but it doesn't seem to have the updated profile data. I checked the new profile_info
token and the new id_token
to see if they had the updated profile data, but they didn't. See [this](https://stackoverflow.com/questions/60016498/azure-ad-b2c-how-to-propogate-new-user-claims-to-the-access-token?rq=1#:~:text=B2C%20doesn%E2%80%99t%20refresh%20token%20claims%20on%20refresh%20token%20flows%20(yet).
- using the graph api to send a read request of the signed in user after completing the edit profile flow to fetch the updated information from the azure side.
Is it possible to use the Microsoft graph api with b2c? With the research I've done, the access token that b2c gives the client can't be used to call the graph api. See this; The first suggested option (in that stackoverflow) references an article talking about getting access without a user (link), but I want to only be able to fetch data of the signed in user and not other users. I think that's what delegated permissions are for (see this), but b2c apps only seem to support 2 delegated permissions for the ms graph api. Am I correct in understanding that using app delegated permissions would allow access to all the users? When attempting to call the https://graph.microsoft.com/v1.0/users/me
graph endpoint, I get and error: "InvalidAuthenticationToken" and message: "Access token validation failure. Invalid audience." which makes sense if the b2c access token can't be used for the ms graph api.
Another use case for being able to use the graph api would be to allow the user to edit their b2c profile information without having to go through the edit profile user flow. For instance, the client could just have input fields where the user can update their information and then behind the scenes the graph api updates the information with a post request.
So my questions are,
- How can I retrieve the updated user account data after the user has updated their data with the edit profile user flow?
- Is it possible to use the Microsoft graph api with an app registration that authenticates with Azure B2C?