oauth2-on-behalf-of-flow on Azure Entra Id doesnt work

Question

I have the following apps created on Azure AD B2C / Entra:

• MyApi2
  • With scope myapi2
• MyApi1
  • With scope myapi1
  • Access allowed to scope myapi2
  • Access allowed to scope User.Read of Microsoft Graph
• SPA client
  • Access allowed to scope myapi1
  My intention is to make a request to MyApi1 with the token of my SPA client, and for MyApi1 to obtain a delegated token and be able to make a request to MyApi2 with the user information (user ID, email, etc.) I get the token for the SPA, but when I try to make the request to get the token from MyApi1 to call MyApi2 I get the following error message:

  ADSTS50013: Assertion failed signature validation. [Reason - The key was not found., Please visit t
  

I get the token for MyApi1 correctly...

When I try get the delegate token which must allowed me to call MyApi2 I get this error...

I think the problem is that I am mixing Azure B2C with Azure Entra... Although I understood that it is more or less the same.

Can anyone help me get the delegated token?

Answer 1

Hi @Carlos , Thanks for reaching out.

Your understanding is correct here. You are getting this error as you are trying to configure On-behalf-of flow between Entra ID and Azure AD B2C.

On Behalf of flow is suitable for chained Web APIs where one API need to calls another downstream Web API.

Although Azure AD B2C doesn't support On Behalf of flow, so we can't utilize its token to call another downstream API.

However, On-Behalf-Of works for applications registered in Microsoft Entra ID, it does not work for applications registered in Azure AD B2C, regardless of the tenant (Microsoft Entra ID or Azure AD B2C) that is issuing the tokens.

Hope this will help.

Thanks, Shweta

---

Please remember to "Accept Answer" if answer helped you.