AADB2C90085: Can't obtain token with client_credentials and custom policy

Paul Stevenson 1 Reputation point
2022-10-20T00:33:14.237+00:00

Hello,

I am trying to generate a token for a web app (app1) that exposes another app's scope (app2) using app1's client_id/client_secret. Both apps exist in the same B2C tenant. . I've followed this tutorial, exposed an app role, but request app1's scope ./default, since it's a client_credentials grant.

Here's what this call looks like on postman

252206-image.png

It returns:

{  
    "error": "invalid_grant",  
    "error_description": "AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again.\r\nCorrelation ID: 0f836311-0f5b-44a5-b15b-4c53439086dc\r\nTimestamp: 2022-10-20 00:17:55Z\r\n"  
}  

My manifest has accessTokenAcceptedVersion : 2 and my appRole

"allowedMemberTypes": [  
"Application"  
],  

I am unsure what can be happening because I can't seem to see Audit logs for these requests in my Azure AD B2C.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,955 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,521 questions
{count} votes

3 answers

Sort by: Most helpful
  1. risolis 8,726 Reputation points
    2022-10-20T05:04:27.36+00:00

    Hello @Paul Stevenson

    Thank you for your post on this community space.

    I would like to provide the next post which seems to be very similar for what you were describing previously.... So please direct yourself down below:

    https://stackoverflow.com/questions/73408144/azure-b2c-client-credentials-flow-throws-invalid-grant-aadb2c90085

    I hope you can find this useful to overcome your concern.

    Looking forward to your feedback,

    Cheers,

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Paul Stevenson 1 Reputation point
    2022-10-20T12:39:52.267+00:00

    Hi Ricardo, thank you for pointing to this stack overflow post. Unfortunately, I had already seen it and tried both solutions in that post. I actually noticed there have logs in the audit logs but none of them offer useful information. Is there anything else that I have to configure in custom policies to support client_credentials?

    252503-image.png


  3. Shweta Mathur 30,101 Reputation points Microsoft Employee
    2022-10-26T11:46:07.183+00:00

    Hi @Paul Stevenson ,

    Thanks for reaching out.

    The error you are getting is due to configuration is not correct while setting up client credential flow in Azure AD B2C.

    I tried to reproduce the issue and got same error due to incorrect scope.

    Steps to set up client credential flow :

    1. Register App2 and expose the scopes by setting the application id URI.

    254269-image.png

    2.Update manifest to define app roles

     {  
         "allowedMemberTypes": [  
         "Application"  
         ],  
         "description": "B2CRole",  
         "displayName": "B2CRole",  
         "id": "1fb805ae-3118-4e7c-b5e0-032c289eaf44",  
         "isEnabled": true,  
         "lang": null,  
         "origin": "Application",  
         "value": "B2CRole"  
         },  
         {  
         "allowedMemberTypes": [  
         "Application"  
         ],  
         "description": "B2C",  
         "displayName": "B2C",  
         "id": "7316bf0a-f704-4bd4-9d9d-baf2d6f7719e",  
         "isEnabled": true,  
         "lang": null,  
         "origin": "Application",  
         "value": "B2C"  
         }],  
    

    3.Register the app1 and update the app's accessTokenAcceptedVersion is set to 2
    4.Grant the app(app1) permission for API(app2).

    254364-image.png

    5.Request the access token . Make sure to pass correct scope. e.g https://<tenantName>.onmicrosoft.com/api/.default

    254365-image.png

    6.Decode the token using jwt.ms to see the scopes.

    254352-image.png

    Hope this will help.

    Thanks,
    Shweta


    Please remember to "Accept Answer" if answer helped you.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.