How to request access token using client_assertion in an Azure B2C custom policy?

Question

How to request access token using client_assertion in an Azure B2C custom policy?

Mera, C (Claudiu) 90

I have a requirement to provide an API to our consumers. The intention is to secure the API using AzureAD B2C - Client Credential Grant flow. The authentication is via Client Certificate.

I have created a custom policy on B2C tenant that provides the access token.

I have used the sample Hello World policy available here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policies-series-hello-world

Things work fine with the clientId and secret authentication method.

I now want to secure the OAuth2 conversation further by allowing the client to use the signed client_assertion as opposed to static client secret using their protected key.

I have uploaded the public portion of the key into the relevant app registration.

When I perform the request to https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/B2C_1A_MYPOLICY/oauth2/v2.0/token

I get the following error: AADB2C99027: Policy 'B2C_1A_MYPOLICY' does not contain a AuthorizationTechnicalProfile with a corresponding ClientAssertionType.

How can I add this kind of technical profile for supporting client_assertion instead of client secret? Any help is much appreciated.

Navya 20,100 Reputation points Microsoft External Staff Moderator

2025-02-03T04:07:51.72+00:00

Hi @Mera, C (Claudiu)

Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Navya 20,100 Reputation points Microsoft External Staff Moderator

2025-02-04T07:12:54.2633333+00:00

Hi @Mera, C (Claudiu)

Following up to see if the below answer was helpful. Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions. if you have any further query do let us know.

1 answer

Your answer

Navya 20,100 Reputation points Microsoft External Staff Moderator

2025-02-03T04:07:51.72+00:00

Hi @Mera, C (Claudiu)

Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Navya 20,100 Reputation points Microsoft External Staff Moderator

2025-02-04T07:12:54.2633333+00:00

Hi @Mera, C (Claudiu)

Following up to see if the below answer was helpful. Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions. if you have any further query do let us know.

Answer 1

Thank you for posting this in Microsoft Q&A.

I understand that you want to request an access token using client_assertion instead of client_id in an Azure B2C custom policy.

Unfortunately, certificates are not supported in Azure AD B2C user flows or custom policies.

So, currently, you can't obtain an access token using client_assertion in the client credentials flow in Azure AD B2C.

User's image

For your reference: https://learn.microsoft.com/en-us/azure/active-directory-b2c/app-registrations-training-guide#application-certificates--secrets

https://learn.microsoft.com/en-us/azure/active-directory-b2c/client-credentials-grant-flow?pivots=b2c-custom-policy

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

How to request access token using client_assertion in an Azure B2C custom policy?

1 answer

Your answer