How can we improve Azure Active Directory?

AADB2C: Support OAuth 2.0 client credential flow

As mentioned in the B2C limitations:

https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-limitations/

Our daemons / server-side applications need this feature as part of our security implementation in order to grant access to our web apis.

219 votes
Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)

We’ll send you updates on this idea

Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

Currently, you can use “App Registration” blade in the Azure Portal (outside of the Azure AD B2C blades) to register an apps that define application permission and the register apps that use client credentials to request these. The caveat is that this is done using the same mechanism that you’d use in regular Azure AD.

Ideally we’d have a first class experience for this in the Azure AD B2C blades or at least have an Azure doc that walks you through the experience I just summarized, so I’m leaving this feature ask open.

It would be great if you guys can add comments with your feedback. What scenarios areyou trying to achieve? Does the approach above help you achieve what you want to achieve? Does the experience to do so work for you guys and if not, what would you like to see?

17 comments

Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
Submitting...
  • Hristomir commented  ·   ·  Flag as inappropriate

    (Real scenario): Company ABC wants to expose a set of API's for their external customers' web applications.
    - Company ABC does not want to register their external customer web apps in the AAD, they rather use the AAD B2C for this entire scope.
    - External customers web app shall access the APIs using client credential flow

  • Alex Menezes commented  ·   ·  Flag as inappropriate

    (Real scenario): Company ABC wants to expose a set of API's for their external customers' web applications.
    - Company ABC does not want to register their external customer web apps in the AAD, they rather use the AAD B2C for this entire scope.
    - External customers web app shall access the APIs using client credential flow

  • David Sanftenberg commented  ·   ·  Flag as inappropriate

    Lots of oauth2 flows use the client_credentials grant (such as Grafana's), so a lack of support for this means these apps are broken for Azure B2C.

  • Miha Jakovac commented  ·   ·  Flag as inappropriate

    I would like to do Integration tests of my API, but not sure how I can get access_token from AD other than with Client Credentials grant. I would only use it for testing...

  • Mike DePouw commented  ·   ·  Flag as inappropriate

    Subject: No support for custom attributes

    If I define a custom attribute in B2C and code my web API to use it, using Azure AD Apps will not work as I no longer have that claim on my token from CCG.

  • Mike DePouw commented  ·   ·  Flag as inappropriate

    The first problem I see with this approach is with scopes and securing the web API.

    If I define a scope called 'delete-invoices' and secure my web-api with that scope that will have to be duplicated in Azure AD Apps. And I will now have check for scopes or roles in my web API.

    I also have to duplicate all of my scopes.

    Reference: https://joonasw.net/view/defining-permissions-and-roles-in-aad

  • Martin commented  ·   ·  Flag as inappropriate

    I like to describe my scenario:
    3 components: Azure B2C + frontend + backend web api

    B2C is configured with policies etc.
    The frontend providing the login to B2C and gets a valid token back.
    Backend configured to use jwtAuthentication.
    The frontend sends this token as bearer token to the web api to authenticate.
    Works fine.

    Now the problem comes with automated tests.
    How to get the token without user interaction?
    Idea was to use client_credentials to get an access token and send this as bearer to the web api.
    So we created an application INSIDE of B2C.
    But now to make it work the backend must be configured in another way. (different token endpoints)

    So does did approach with an app registration OUTSIDE of the B2C help me in any way?
    If yes - I need more details or a walkthrough.

  • Anonymous commented  ·   ·  Flag as inappropriate

    I am with this problem. want to access my b2c web api application via web service.
    I created app registration.
    used this api: https://login.microsoftonline.com/<tenantId>/oauth2/token
    and got the access_token,
    but when I tried send it to my web api,that authorize by b2c got 401.
    any idea?

  • [Deleted User] commented  ·   ·  Flag as inappropriate

    My scenario is the following: I have a web api protected by B2C and I want a SPA (client side), a web app (server side) and a daemon application to be able to acces it.

    First step was to register the application following this link:
    https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-app-registration

    Second step was to register the Web Application following this link:
    https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-web-dotnet-susi

    Third step was to register the SPA application following this link:
    https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp

    Using the previous configurations I'm able to get data from my protected web api. This means that both the Authorization Code Grand and the Implicit Grant flow are working fine for me.

    Now I want to access my protected web api from a daemon application.
    I followed the official guide here:
    https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds

    It works for the GraphApi endpoint but not for my web api.

    As you (Azure AD Team Admin) suggested, I registered a new app in the App registration blade outside of the B2C blade.
    Then I added the delegated permissions of my Web Api and granted them.

    I tried to get an access_token using the following link:
    POST /te/{MY-TENANT}.onmicrosoft.com/{MY-POLICY}/oauth2/v2.0/token HTTP/1.1
    Host: login.microsoftonline.com
    Content-Type: application/x-www-form-urlencoded

    grant_type=client_credentials&client_id={DAEMON_CLIENT_ID}&client_secret={DAEMON_CLIENT_SECRET}&scope={SCOPE_OF_WEB_API}/.default

    I reveived an error of "unsupported_grant_type".
    {
    "error": "unsupported_grant_type",
    "error_description": "AADB2C90086: The supplied grant_type [client_credentials] is not supported."
    }

    What am I doing wrong? Is there a way to accomplish what I'm trying to do?

    Thanks in advance.

  • Rodion commented  ·   ·  Flag as inappropriate

    Please at least give more details here regarding the proposed workaround. It is not clear!

  • Suresh Nadansundaram commented  ·   ·  Flag as inappropriate

    We have a use case where a mobile app runs from controlled mobile devices which needs to authenticate through B2C. In this case we would like to have the client credential flow to authenticate an account(kind of service account).

  • tourili commented  ·   ·  Flag as inappropriate

    I have my native app registered in b2c (inside b2c blades) that have access to my web apis also registered on inside b2c, and granted right permissions. Now I want it to use client credentials to acces those apis. I understand that the feature is not supported yet and will be available later on. Should I create new registration in that "outside of the Azure AD B2C blades" and start from scratch? can you please be more clearer?

  • Eric Jutrzenka commented  ·   ·  Flag as inappropriate

    When I try registering an app via the App Registratin blade to use client credentials, I get the following error when requesting an access token:

    {
    "error": "unauthorized_client",
    "error_description": "AADSTS70001: Application 'bd02abef-b325-49b4-8797-de0bddb004e0' is not supported for this API version.\r\nTrace ID: 13783bad-2588-486a-b60b-4e4a69260200\r\nCorrelation ID: f49a7f1f-d40f-4799-acd6-3747dacc3400\r\nTimestamp: 2017-04-21 04:01:29Z",
    "error_codes": [
    70001
    ],
    "timestamp": "2017-04-21 04:01:29Z",
    "trace_id": "13783bad-2588-486a-b60b-4e4a69260200",
    "correlation_id": "f49a7f1f-d40f-4799-acd6-3747dacc3400"
    }

    I get the same error following the instructions here:
    https://docs.microsoft.com/en-gb/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet#register-a-service-application-in-your-tenant

  • Simon commented  ·   ·  Flag as inappropriate

    @Azure AD Product Group: When working with multi-tenant apps that use B2C and deploy multiple resources like Azure Functions and Azure App Services it would be good to be able to use B2C and client credential flow for service to service communication security. As an example a Function that needs to REST-dispatch on a app service it would be good to use B2C instead of having to use some other kind of shared secret mechanism or something like that.

Feedback and Knowledge Base