The supplied grant_type [client_credentials] is not supported

Joe S George 46 Reputation points
2020-05-21T07:46:11.34+00:00

Hi Team,

I was using login.microsoftonline.com to get my token. Now I am trying to migrate it to b2clogin.com. It is giving an error

"The supplied grant_type [client_credentials] is not supported"

I am not using any custom policies. I have created an user flow for signinsignout.

This is my API:

POST https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{user flow name}/oauth2/v2.0/token

client_secret = xxxxxxx
client_id = xxxxxxxx
grant_type = client_credentials
scope = https://graph.microsoft.com/.default

Please help. Thank You.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,532 questions
0 comments No comments
{count} vote

Accepted answer
  1. soumi-MSFT 11,761 Reputation points Microsoft Employee
    2020-05-21T13:41:13.12+00:00

    @Joe S George , If your main issue is trying to get application authenticated with AAD, you certainly need to use the Client_Credential flow of OAuth 2.0.

    B2C tenant and an AAD tenant are two different tenants. It all depends on that fact that where you have registered your application.

    Suppose we have application named App1, which is registered in AAD tenant, then the app must request a token from AAD tenant to get itself authenticated. In that case your auth request should look like:

    POST https://login.microsoftonline.com/{tenantid/tenantName}/oauth2/token  
    resource:https://graph.microsoft.com  
    grant_type:client_credentials   
    client_id : xxx-xxx-xxx  
    client_secret: xxx-xxx-xxx  
    

    on the contrary, if you have registered your application in the B2C tenant, then you need to make a call to the B2C tenant to get your application authenticated using the client-credential flow. But to note here, B2C as of now doesnt support the client-credential flow of OAuth.

    Yes, we are deprecating the login.microsoftonline.com for only the B2C tenant as you mentioned and that is basically to draw a line of difference between the app being used for what purpose. To elaborate this, when you register an application in the B2C tenant using the App registrations blade, that app can be used to get a token both from the AAD tenant (which is the underlying the B2C tenant) as well as from the B2C tenant also. Now to remove the confusion of from where the token is being requested from, we are deprecating the use of login.microsoftonline.com for the apps being used to request tokens from the B2C tenants.
    Hence what we suggest is to use:

    • b2clogin.com while requesting tokens from B2C tenants.
    • login.microsoftonline.com when requesting tokens from AAD tenants.

    Note: Again would like to re-iterate, B2C tenant as of now doesnt support Client_credential flow, hence if you app is designed to fetch tokens using client_credentials flow, try using login.microsoftonline.com and get the tokens issued from AAD rather than B2C.

    Hope this clarifies your doubts. Incase there are any more queries around this always feel free to reach out so that we can help you better and get you a better grip on the Azure Technologies.

    Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.


4 additional answers

Sort by: Most helpful
  1. Jai Verma 461 Reputation points
    2020-05-21T08:11:17.257+00:00
    0 comments No comments

  2. soumi-MSFT 11,761 Reputation points Microsoft Employee
    2020-05-21T08:14:27.963+00:00

    @Joe S George , The grant_type = client_credential flow is used only when an application is trying to authenticate itself to AAD and trying to get a token from AAD for itself. When a user tries to authenticate itself and tries to get a token from AAD, you would have to use the Authorization Code Grant flow of OAuth. You can find more details about this flow and its requests here.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.


  3. AmanpreetSingh-MSFT 56,501 Reputation points
    2020-05-21T08:36:09.513+00:00

    @Joe S George , Client credentials flow with b2clogin.com is currently not supported. If you want to use Client Credentials flow, you need to use standard Azure AD endpoint only i.e. starting with login.microsoftonline.com.

    There is an active feedback for this feature here: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/18431254-b2c-support-for-client-credential-flow, you can vote for it.

    -----------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

    0 comments No comments

  4. Maulik Modi 36 Reputation points
    2021-04-20T08:48:31.18+00:00

    @AmanpreetSingh-MSFT or @soumi-MSFT ,

    1. Is it possible to specify scopes when creating client using client credentials flow e.g. https://www.identityserver.com/documentation/adminui/Clients/Adding_Clients/ SPA Protected Resources section
    2. Is it possible to specify scopes when creating client using Authorisation code flow
      https://www.identityserver.com/documentation/adminui/Clients/Adding_Clients/ SPA Protected Resources section
    0 comments No comments