From the document linked here, I understood that we required to enable implicit grant flow for the public client registered in the Azure AD B2C tenant. What I am failing to understand the requirement for the same.
For example, when I tried resource-owner password credential workflow using just Azure AD tenant, I observed that we were required to simply register the app as the public client app (by updating the authentication in the app management section). In this scenario, my app manifest read the value of the property oauth2AllowImplicitFlow
to be false
. The following request returned me the access token correctly:
POST {tenant}/oauth2/v2.0/token
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=<publicClientAppId>
&scope=<myWebAppCustomScope> // (e.g., "<myWebAppClientId>/access_as_user")
&username=<username>
&password=<password>
&grant_type=password
However, with Azure AD B2C application registrations (where both, the web app and the public client app are registered in the B2C tenant), the ask is to also enable the implicit grant flow. Thus, upon a similar request as above:
POST https://<B2CTenantDomainPrefix>.b2clogin.com/<B2CTenantId>/b2c_1_ropc1/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id=<publicClientAppId>
&scope=<myWebAppCustomScope> // (e.g., "<myWebAppClientId>/access_as_user")
&username=<username>
&password=<password>
&grant_type=password
I receive the following error: AADB2C90057: The provided application is not configured to allow the 'OAuth' Implicit flow.
. I wanted to understand the requirement for the same, and why the behavior is different compared to the Azure AD ROPC workflow.