How do I use client_assertion as opposed to a static secret within the Azure B2C client_credentials grant flow?

CHAWLA,Amit 0 Reputation points
2023-01-23T02:14:40.53+00:00
I have a requirement to provide API to our consumers. The intention is to secure the API using AzureAD B2C - Client Credential Grant flow.

I have created a custom policy on B2C tenant that provides the access token. Things work fine with the clientId and Secret authentication method.

I now want to secure the OAuth2 conversation further by allowing the client to use the signed client_assertion as opposed to static client secret using their protected key. I have uploaded the public portion of the key into the relevant app registration.

Unfortunately, consuming the /token endpoint with the signed client_assertion results in an error.
REQUEST
https://.b2clogin.com/.onmicrosoft.com/b2c_1a_demo_clientcredentialsflow/oauth2/v2.0/token
grant_type=client_credentials&scope=https%3A%2F%2Fapi%2F.default&client_id=d5339984-e6c7-457a-9ef9-21fb6e3e6c59&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJhbGciOiJo

RESPONSE
HTTP/1.1 400 Bad Request
{"error":"invalid_request","error_description":"AADB2C99027: Policy 'B2C_1A_Demo_ClientCredentialsFlow' does not contain a AuthorizationTechnicalProfile with a corresponding ClientAssertionType.\r\nCorrelation ID: 5eb76fa5-c919-4877-a722-0d38408e18c6\r\nTimestamp: 2023-01-19 07:38:25Z\r\n"}

Can someone please tell me if B2C is intended to support client assertions? Metadata JSON on the policy returns only the following two authentication methods:


"token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ]

Is it possible to include private_key_jwt as a supported authentication method using custom policy configuration? Is it possible to configure the AuthorizationTechnicalProfile for the policy with a corresponding ClientAssertionType


I used the guidance here to implement client credentials grant flow on my b2c tenant: 

The only difference is that I want to use dynamic 
Please do let me know in case you need further information. Thanks!
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,987 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 30,196 Reputation points Microsoft Employee
    2023-01-24T10:24:08.92+00:00

    Hi @CHAWLA,Amit,

    Thanks for reaching out.

    Unfortunately, as of now client assertion types are not supported in B2C user flows / custom policies.

    I would suggest you post this idea at the Azure Feedback Portal, which is monitored by the product team for feature enhancements.

    For another question "Also, this page says that the Azure AD B2C client credentials flow is currently in preview. Does anyone know when this feature will be become GA?"

    I am check internally on this and will update here once I will get update on that.

    Thanks,

    Shweta


    Please remember to "Accept Answer" if answer helped you.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.