SPA in B2C can't successfully get a token for API in a different tenant

Paul Stevenson 1 Reputation point
2023-11-30T10:19:43.76+00:00

Hello,

I have a scenario where I have two apps, one client application (SPA)(Client A), which is a frontend that connects to an API (API B). Client A lives in a B2C tenant and API B lives in the main tenant (the parent tenant).

After having created API B's presence in the B2C tenant, I was able to assign a Delegated permission in Client A to API B, gave it Admin Consent, and it seems properly configured.

Then, once MSAL.js tries to .acquireTokenSilent to API B passing the refresh token, the following message appears in both the client console (browser) and in the audit logs of the B2C tenant.

{
    "error": "invalid_request",
    "error_description": "AADB2C90117: The scope 'api://00000-0000-111111-222222/client' provided in the request is not supported.\r\nCorrelation ID: 98f8e66e-a14f-4810-9b11-4711b777c4b9\r\nTimestamp: 2023-11-29 21:57:11Z\r\n"
}

If I extract the request issued to the B2C tenant /oauth2/v2.0/token, it looks like this (I suppressed noisy headers etc)

curl --location 'https://<MY B2C TENANT>.b2clogin.com/<MY B2C TENANT>.onmicrosoft.com/b2c_1a_signup_signin_passwordless_only/oauth2/v2.0/token' \
---- SUPPRESSED HEADERS FOR CLARITY -----
--data 'client_id=<CLIENT A CLIENT ID>&scope=<API B SCOPE ENCODED>%20openid%20profile%20offline_access&grant_type=refresh_token&refresh_token=<A REFRESH TOKEN>&X-AnchorMailbox=Oid%3A42a06d16-5a71-454a-8837-6b1ca50573a7-b2c_1a_signup_signin_passwordless_only%40bd5991ad-26aa-4baf-97f3-35faac353b53'

Any idea?

EDIT: some other reflections
If this perhaps means that B2C custom policies doesn't support multi-tenancy. What's can I can have a SPA + using custom policies call an API in the parent (external) tenant? Even if I added a new identity provider, users that exist in the B2C tenant don't exist in the parent tenant. Should I instead create an API (API C) in the B2C tenant, where Client A obtains a token for it (as a local app), then API C generates a token for API B on behalf of the user? Would it change anything? Or I am missing something?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,751 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,514 questions
{count} votes