Custom Policy Client Credential flow incompatible with RestfulProvider?

AdamKozmic-7665 60 Reputation points
2023-03-20T21:24:31.23+00:00

I'm trying to use the client-credential flow while securing an API endpoint via a Validation Profile and I've followed this guide: https://learn.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api?tabs=macos&pivots=b2c-custom-policy#oauth2-bearer-authentication

I'm trying to do the client_credential exchange against a User Policy, but it appears that the user policies require the clientId and clientSecret to be passed in the form data instead of Basic authentication.

If i pass the client_id and client_secret via form data in Postman, it works as expected..

If I do basic auth in Postman, I get this:

https://{TENANT}.b2clogin.com/{TENANT}.onmicrosoft.com/{POLICY}/oauth2/v2.0/token

{
    "error": "invalid_client",
    "error_description": "AADB2C90008: The request does not contain a client id parameter.\r\nCorrelation ID: ec7449bd-2166-43cd-9550-a119634479a1\r\nTimestamp: 2023-03-20 21:15:31Z\r\n"
}


Translated to the custom policy, here's my failing technical profile


Just for testing, I hard-coded the ClientID and ClientSecret as InputClaims and set Authentication type to "None" and voila! it works, as shown below:


I obviously don't want to hardcode the secret in plaintext in an XML file, so I'm trying to find a workaround, but per https://learn.microsoft.com/en-us/answers/questions/1114971/custom-policy-include-policy-key-as-input-claim it doesn't appear that you can assign a PolicyKey to an input claim.

Interestingly enough, if I do the exchange with Basic auth against my tenant URL (https://login.microsoftonline.com/%7Btenant%7D.onmicrosoft.com/oauth2/v2.0/token), it works:; however, I want to use a Custom Policy.

Is there any workaround here? or a way of enabling basic auth on a Custom Policy's client_credential exchange?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,847 questions
{count} vote

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.