I have issues getting an access token using client credentials in API Management Credentials Manager.
I am using Entra External ID for external tenants as an identity provider.
Credentials Provider details:
- Identity provider: OAuth 2.0
- Grant type: client credentials
- Authorization URL: empty
- Refresh URL: empty
- Token URL: https://<tenant id>.ciamlogin.com/<tenant id>/oauth2/v2.0/token
The error:
Failed to acquire access token for service using client credentials flow: IdentityProvider=oauth2. Correlation Id=c9b9d0e2-cf03-42a5-8e3e-0327a8841f3a, UTC TimeStamp=6/5/2024 1:24:23 PM, Error: Failed to exchange client credentials for token. Response code=BadRequest, Details: {"error":"invalid_request","error_description":"AADSTS90014: The required field 'scope' is missing from the credential. Ensure that you have all the necessary parameters for the login request. Trace ID: 14689e05-8545-45af-a0d1-3cb70a090000 Correlation ID: e04d620f-5340-42db-82fd-6e9b6a5a1553 Timestamp: 2024-06-05 13:24:23Z","error_codes":[90014],"timestamp":"2024-06-05 13:24:23Z","trace_id":"14689e05-8545-45af-a0d1-3cb70a090000","correlation_id":"e04d620f-5340-42db-82fd-6e9b6a5a1553","error_uri":"https://<tenant id>.ciamlogin.com/error?code=90014"}
And that's expected cause there is no way to provide scope.
I managed to get the token using Azure Active Directory v1 as an Identity Provider.
- Identity provider: Azure Active Directory v1
- Grant type: client credentials
- Authorization URL: https://<tenant id>.ciamlogin.com
- Resource URL: <Application ID URI>
- Tenant Id: <tenant id>
The questions are:
- Can the workaround with Azure AD v1 be used in production?
- Is there a correct way to make it work?