Attempting to set up a client credentials flow for B2C and receiving an "invalid_grant" error

Question

Attempting to set up a client credentials flow for B2C and receiving an "invalid_grant" error

Rian 0

Wondering if there is any way to diagnose an "invalid_grant" error when attempting to set up a client credentials flow to allow programmatic access to an API. I have followed the directions as detailed here:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/client-credentials-grant-flow?pivots=b2c-user-flow I have double-checked all the associated values. I'm attempting to acquire a token with Postman. The audit logs on Azure simply repeat the error. Any suggestions?

Navya 20,180 Reputation points Microsoft External Staff Moderator

2024-02-15T06:16:22.6+00:00

Hi @Rian Schmidt

Thank you for posting this in Microsoft Q&A.

Could you please share the client-credentials flow parameters which you are using when requesting an access token in B2C and how you register the application? If it's possible, could you share the error message details, it would help me understand the error.

Rian 0

Sure.... I'm posting to:

https://rainone.b2clogin.com/rainone.onmicrosoft.com/B2C_1_std_auth/oauth2/v2.0/token The parameters:

client_id:a8baf7fa-c141-4379-8f9a-xxxxxxxxxxxx client_secret:1B38Q~HYdgmbe.HTKT~I.REmpvQxxxxxxxxxxxx 
grant_type:client_credentials 
scope:https://rainone.onmicrosoft.com/graphql/.default

I get the error:

{
    "error": "invalid_grant",
    "error_description": "AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again.\r\nCorrelation ID: 302b2095-e12a-478d-8d63-50c57b099638\r\nTimestamp: 2024-02-16 00:30:39Z\r\n"
}

We have an application (app1) that users access with "normal" user flow that works fine.

This application (app2) is intended to log in without a user involved. I added the following to the manifest of the backend application (app1):

	"appRoles": [
		{
			"allowedMemberTypes": [
				"Application"
			],
			"description": "Writers have the ability to create tasks.",
			"displayName": "Write",
			"id": "3f8b3e09-2de4-4264-b619-fcb2cb1fd549",
			"isEnabled": true,
			"lang": null,
			"origin": "Application",
			"value": "app.write"
		},
		{
			"allowedMemberTypes": [
				"Application"
			],
			"description": "Readers have the ability to read tasks.",
			"displayName": "Read",
			"id": "24cf3d8d-60f4-4076-97b3-7ecb7e04a77f",
			"isEnabled": true,
			"lang": null,
			"origin": "Application",
			"value": "app.read"
		}
	],

I also added those roles to the API Permissions of the defined application (app2).

Navya 20,180 Reputation points Microsoft External Staff Moderator

2024-02-27T03:36:38.9833333+00:00

Hi @Rian
Following up to see If the information above has been helpful in addressing your question and if you had any other questions or if you were able to resolve this issue?

1 answer

Your answer

Navya 20,180 Reputation points Microsoft External Staff Moderator

2024-02-15T06:16:22.6+00:00

Hi @Rian Schmidt

Thank you for posting this in Microsoft Q&A.

Could you please share the client-credentials flow parameters which you are using when requesting an access token in B2C and how you register the application? If it's possible, could you share the error message details, it would help me understand the error.
Rian 0 Reputation points

2024-02-16T00:49:07.7733333+00:00

Sure.... I'm posting to:

https://rainone.b2clogin.com/rainone.onmicrosoft.com/B2C_1_std_auth/oauth2/v2.0/token The parameters:

client_id:a8baf7fa-c141-4379-8f9a-xxxxxxxxxxxx client_secret:1B38Q~HYdgmbe.HTKT~I.REmpvQxxxxxxxxxxxx grant_type:client_credentials scope:https://rainone.onmicrosoft.com/graphql/.default

I get the error:

{ "error": "invalid_grant", "error_description": "AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again.\r\nCorrelation ID: 302b2095-e12a-478d-8d63-50c57b099638\r\nTimestamp: 2024-02-16 00:30:39Z\r\n" }

We have an application (app1) that users access with "normal" user flow that works fine.

This application (app2) is intended to log in without a user involved. I added the following to the manifest of the backend application (app1):

"appRoles": [ { "allowedMemberTypes": [ "Application" ], "description": "Writers have the ability to create tasks.", "displayName": "Write", "id": "3f8b3e09-2de4-4264-b619-fcb2cb1fd549", "isEnabled": true, "lang": null, "origin": "Application", "value": "app.write" }, { "allowedMemberTypes": [ "Application" ], "description": "Readers have the ability to read tasks.", "displayName": "Read", "id": "24cf3d8d-60f4-4076-97b3-7ecb7e04a77f", "isEnabled": true, "lang": null, "origin": "Application", "value": "app.read" } ],

I also added those roles to the API Permissions of the defined application (app2).
Navya 20,180 Reputation points Microsoft External Staff Moderator

2024-02-27T03:36:38.9833333+00:00

Hi @Rian
Following up to see If the information above has been helpful in addressing your question and if you had any other questions or if you were able to resolve this issue?

Answer 1

Hi @Rian

As you provide client-credentials flow parameters, I understand that you are passing valid token endpoint and parameter values. Could you confirm whether you have completed all the steps listed below to register applications?

1.Register App2 and expose the scopes by setting the application id URI.

Update manifest to define app roles.

    {  
        "allowedMemberTypes": [  
        "Application"  
        ],  
        "description": "B2CRole",  
        "displayName": "B2CRole",  
        "id": "1fb805ae-3118-4e7c-b5e0-032c289eaf44",  
        "isEnabled": true,  
        "lang": null,  
        "origin": "Application",  
        "value": "B2CRole"  
        },  
        {  
        "allowedMemberTypes": [  
        "Application"  
        ],  
        "description": "B2C",  
        "displayName": "B2C",  
        "id": "7316bf0a-f704-4bd4-9d9d-baf2d6f7719e",  
        "isEnabled": true,  
        "lang": null,  
        "origin": "Application",  
        "value": "B2C"  
        }],

3.Register the new one (app1) and update the app's accessTokenAcceptedVersion is set to 2.

4.Create a client secret for app1

5.Grant the app(app1) permission for API (app2).

App1 -> API permission -> Add a permission -> select App2 with client id -> Select Application permission ->Select Add permissions.

Then Grant admin consent for those permissions.

5.Request the access token. The actual POST request looks like below:

Replace tenant name and policy.

Make sure to pass correct scope. e.g. https://<tenantName>.onmicrosoft.com/api/.default

POST 

https://<tenant-name>.b2clogin.com/<tenantname>.onmicrosoft.com/<policy>/oauth2/v2.0/token

grant_type=client_credentials
&client_id= Replace App1 client_id
&client_secret= App1 client secret
&scope=

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

Share via

Attempting to set up a client credentials flow for B2C and receiving an "invalid_grant" error

1 answer

Your answer