AADB2C90085: Can't obtain token with client_credentials and custom policy

Question

Hello,

I am trying to generate a token for a web app (app1) that exposes another app's scope (app2) using app1's client_id/client_secret. Both apps exist in the same B2C tenant. . I've followed this tutorial, exposed an app role, but request app1's scope ./default, since it's a client_credentials grant.

Here's what this call looks like on postman

It returns:

{  
    "error": "invalid_grant",  
    "error_description": "AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again.
Correlation ID: 0f836311-0f5b-44a5-b15b-4c53439086dc
Timestamp: 2022-10-20 00:17:55Z
"  
}

My manifest has accessTokenAcceptedVersion : 2 and my appRole

"allowedMemberTypes": [  
"Application"  
],

I am unsure what can be happening because I can't seem to see Audit logs for these requests in my Azure AD B2C.

Answer

Hello @Paul Stevenson

Thank you for your post on this community space.

I would like to provide the next post which seems to be very similar for what you were describing previously.... So please direct yourself down below:

https://stackoverflow.com/questions/73408144/azure-b2c-client-credentials-flow-throws-invalid-grant-aadb2c90085

I hope you can find this useful to overcome your concern.

Looking forward to your feedback,

Cheers,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer

Hi Ricardo, thank you for pointing to this stack overflow post. Unfortunately, I had already seen it and tried both solutions in that post. I actually noticed there have logs in the audit logs but none of them offer useful information. Is there anything else that I have to configure in custom policies to support client_credentials?

Answer

Hi @Paul Stevenson ,

Thanks for reaching out.

The error you are getting is due to configuration is not correct while setting up client credential flow in Azure AD B2C.

I tried to reproduce the issue and got same error due to incorrect scope.

Steps to set up client credential flow :

Register App2 and expose the scopes by setting the application id URI.

2.Update manifest to define app roles

 {  
     "allowedMemberTypes": [  
     "Application"  
     ],  
     "description": "B2CRole",  
     "displayName": "B2CRole",  
     "id": "1fb805ae-3118-4e7c-b5e0-032c289eaf44",  
     "isEnabled": true,  
     "lang": null,  
     "origin": "Application",  
     "value": "B2CRole"  
     },  
     {  
     "allowedMemberTypes": [  
     "Application"  
     ],  
     "description": "B2C",  
     "displayName": "B2C",  
     "id": "7316bf0a-f704-4bd4-9d9d-baf2d6f7719e",  
     "isEnabled": true,  
     "lang": null,  
     "origin": "Application",  
     "value": "B2C"  
     }],

3.Register the app1 and update the app's accessTokenAcceptedVersion is set to 2
4.Grant the app(app1) permission for API(app2).

5.Request the access token . Make sure to pass correct scope. e.g https://.onmicrosoft.com/api/.default

6.Decode the token using jwt.ms to see the scopes.

Hope this will help.

Thanks,
Shweta

Please remember to "Accept Answer" if answer helped you.

Share via

AADB2C90085: Can't obtain token with client_credentials and custom policy

3 answers

Your answer