This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 10%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
We have a web application which needs authenticated access to several Web APIs. We are using Azure AD B2C for authentication.
We receive an access token, id token, and refresh token for our first web api during login, but we are unable to get a second access token for another webapi.
The web application has given permission to both the webapi in the B2C portal.
The second /token call doesnt fail but the Access token is missing and the scopes are wrong.
Should this be possible?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 87%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENZ%3C/text%3E%3C/svg%3E)
What client library are you using to authenticate with Azure?
I'm using MSAL.NET. But the actual response from the B2C /token endpoint does not contain the Access Token. - see the screenshot below. Today, I tried the same thing with a standard Azure AD directory and it worked - so the problem is with a B2C AD instance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 44%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
You cannot use the same authorization code more than once to get the access token for multiple API's. I suggest you can register your web api's as a single application registration with a single redirect url and access to those web api's can be managed using the scopes. You can refer to Tutorial: Grant access to an ASP.NET web API using Azure Active Directory B2C to understand how to configure the API scopes and grant access for them.
We arent using the authorization code more than once. The authorization code is used during the initial login and receives an access token, id token and refresh token. The MSAL library sends the refresh token later on the second /token call for the second resource/api and it should return a new access token for that second api - but it is not, nor does it error either.
I understand I could model all our apis with a single registration and use scopes to manage access, but we also want to add more applications in the future and use a subset of the apis in different combinations.
An old article describes the situation:
https://www.cloudidentity.com/blog/2013/10/14/adal-windows-azure-ad-and-multi-resource-refresh-tokens/
Can we get Access tokens for several API from a single Web Application? This is an important question that is blocking our decision to use B2C in our platforms future.
Here is a screenshot from Fiddler of the /token call with grant_type = refresh_token that isnt returning the expected access token
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 10%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVK%3C/text%3E%3C/svg%3E)
I hope the below link helps
https://upskillwithvivek.blogspot.com/2020/06/access-tokens-for-several-web-api-from.html -