Requirement for configuring implicit grant on public clients with B2C tenant for ROPC workflow

Chintan Rajvir 426 Reputation points Microsoft Employee
2021-12-07T04:45:37.593+00:00

From the document linked here, I understood that we required to enable implicit grant flow for the public client registered in the Azure AD B2C tenant. What I am failing to understand the requirement for the same.

For example, when I tried resource-owner password credential workflow using just Azure AD tenant, I observed that we were required to simply register the app as the public client app (by updating the authentication in the app management section). In this scenario, my app manifest read the value of the property oauth2AllowImplicitFlow to be false. The following request returned me the access token correctly:

POST {tenant}/oauth2/v2.0/token  
Host: login.microsoftonline.com  
Content-Type: application/x-www-form-urlencoded  
  
client_id=<publicClientAppId>  
&scope=<myWebAppCustomScope> // (e.g., "<myWebAppClientId>/access_as_user")  
&username=<username>  
&password=<password>  
&grant_type=password  

However, with Azure AD B2C application registrations (where both, the web app and the public client app are registered in the B2C tenant), the ask is to also enable the implicit grant flow. Thus, upon a similar request as above:

POST https://<B2CTenantDomainPrefix>.b2clogin.com/<B2CTenantId>/b2c_1_ropc1/oauth2/v2.0/token  
Content-Type: application/x-www-form-urlencoded  
  
client_id=<publicClientAppId>  
&scope=<myWebAppCustomScope> // (e.g., "<myWebAppClientId>/access_as_user")  
&username=<username>  
&password=<password>  
&grant_type=password  

I receive the following error: AADB2C90057: The provided application is not configured to allow the 'OAuth' Implicit flow.. I wanted to understand the requirement for the same, and why the behavior is different compared to the Azure AD ROPC workflow.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
3,034 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,267 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,761 Reputation points
    2021-12-08T02:58:16.08+00:00

    Hi @Chintan Rajvir • Thank you for reaching out.

    When Microsoft (AAD+B2C) made the implicit option in the portal, they defined it as getting a token directly from either Authorize or Token endpoint. So because of this, we have to enable it in general when getting a token directly from any endpoint in case of Azure AD B2C.

    When using Authorization_Code flow, we do not directly acquire tokens from any endpoint, the request is first sent to authorize endpoint to get a code which is then redeemed at the token endpoint to acquire the token. In that case, we don't need to enable implicit grant.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


  2. VIvek Sharma 0 Reputation points
    2023-07-21T17:55:01.6433333+00:00

    HI Aman,

    I am facing a similar problem with B2C. I am trying to make authorization code flow work with B2C and it does not work unless i enable implicit grant within my App registration. I am following the code samples that msft has for calling B2C protected API .

    I see the first request is to authorzie endpoint with response_Type=Code idtoken but that returns the error "AADB2C90057: The provided application is not configured to allow the 'OAuth' Implicit flow."

    Does this mean that even for authorization code flow with B2C we have to enable implicit flow on the UI ? Is there any official documentation around it ?

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.