Azure B2C client credentials grant

Question

I’ve implemented Azure B2C for user login/logout and can get the id_token and pass it to my web API for authorization, all works well. Now, I have some Web API methods that should be only accessed by the client web application (ASP.NET 4.6) which means OAuth 2.0 "client credentials grant". I’ve done a lot of research and the closest I could find is this quick-start which uses ADAL in a B2C application to call Graph API.

I followed along and got to the point where I’m trying to get the client access token as in the below code. However, no matter what I pass to the AcquireToken method as the resource I keep getting an error that the application name I’m passing doesn’t exist in the tenant. I’m actually not sure what should I pass, since in the B2C world you do not register your Web API as an application but rather you have one application ID for all your Apps.

Is the above scenario supported, and how can I do it?

public async Task<string> SendGraphGetRequest(string api, string query)
{
    // First, use ADAL to acquire a token by using the app's identity (the credential)
    // The first parameter is the resource we want an access_token for; in this case, the Graph API.
    //*** In my case I want to replace the graph API URL with my own WebAPI
    AuthenticationResult result = authContext.AcquireToken("https://graph.windows.net", credential);

Answer 1

It is now possible to use OAuth2 Client Credentials grant type with Azure ADB2.

Although the OAuth 2.0 client credentials grant flow is not currently directly supported by the Azure AD B2C authentication service, you can set up client credential flow using Azure AD and the Microsoft identity platform /token endpoint for an application in your Azure AD B2C tenant. An Azure AD B2C tenant shares some functionality with Azure AD enterprise tenants

Here is a sample curl request:

    curl --location --request POST 'https://login.microsoftonline.com/{client-id-of-app-registered-in-b2c}/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: x-ms-gateway-slice=prod; stsservicecookie=ests; fpc=AmqL7OwikMNGgdpvjdkb0OLnguDtAQAAABl14NYOAAAAd_wwNgEAAABCeeDWDgAAAA' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_secret={secret-of-app}' \
--data-urlencode 'client_id={client-id-of-app-registered-in-b2c}' \
--data-urlencode 'scope=https://graph.microsoft.com/.default'

Note that the parameters are encoded in the body.