Request Access Token in Postman for Azure AD B2C

Question

How can I request an Access Token in Postman against an Azure AD B2C tenant?

---

I tried taking the url from Run Now in the Azure portal and putting that in the Auth Url but that produces the following error:

---

Update

Following Chris's answer, I'm now past the above error. I'm able to sign-in but still can't get an access token:

AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again. Correlation ID: 45c56d47-4739-465f-8e02-49ba5b3a1b86 Timestamp: 2017-11-16 15:27:52Z

Answer 1

Using @Chris Padgett's answer, I was able to get it working using the Implicit Grant Type (couldn't get it working w/ Authorization Code Gran Type).

---

Grant Type: Implicit

Callback URL: any URL defined in my B2C app

Auth URL: https://{tenant}.b2clogin.com/te/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize

Client ID: Application ID from my B2C app

Scope: https://{tenant}.onmicrosoft.com/{web api app id uri}/{scope name}

Client Authentication: Either one, it didn't matter

Answer 2

2020-05-26 UPDATE

Microsoft changed the login URL for Azure Active Directory B2C as you can see here.

So @spottedmahn answer has to be updated to:

Grant Type: Implicit

Callback URL: any URL defined in my B2C app

Auth URL: https://{tenant}.b2clogin.com/te/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize

Client ID: Application ID from my B2C app

Scope: https://{tenant}.onmicrosoft.com/{web api app id uri}/{scope name}

Client Authentication: Either one, it didn't matter

Answer 3

Getting this setup was a bit of a headache. Here's what I stitched together from the answers in this thread, updated to take advantage of Postman's Grant Type: Authorization Code (With PKCE)

Credit also goes out to https://blogs.aaddevsup.xyz/2020/08/performing-azure-ad-oauth2-authorization-code-grant-flow-with-pkce-in-postman/ for the starting point.

Using: Azure B2C Tenant, JS SPA frontend, Azure Function backend.

Azure Portal (Azure AD B2C)

• Setup for the SPA and backend is more or less as described in this MS document (Careful, some parts are out of date!) : https://learn.microsoft.com/en-us/azure/api-management/howto-protect-backend-frontend-azure-ad-b2c

• @ SPA application registration > Authentication blade > Add this value to 'Single-page application Redirect URIs' https://oauth.pstmn.io/v1/callback

• @ Azure AD B2C | App registrations, click on 'endpoints' (blue globe icon @ top)

• Record Azure AD B2C OAuth 2.0 token endpoint (v2) and Azure AD B2c 2.0 authorization endpoint (v2)

Postman

• Authorization: Oauth 2.0
• Add auth data to: Request Headers

Configure New Token

• Token Name: WhateverYouWant

• Grant Type: Auth Code with PKCE

• CallbackURL: https://oauth.pstmn.io/v1/callback

• [ ] Authorize using browser (Unchecked)

• Auth URL: https://< tenant-name >.b2clogin.com/< tenant-name >.onmicrosoft.com/< policy-name> /oauth2/v2.0/authorize

• Access Token URL: https://< tenant-name >.b2clogin.com/< tenant-name >.onmicrosoft.com/< policy-name >/oauth2/v2.0/token

• Client ID: < your-SPA-Application-ID-aka-client-ID >

• Client Secret : < EMPTY >

• Code Challenge Method: SHA-256

• Code Verifier: < EMPTY >

• State: < EMPTY >

• Scope: something like < tenant name >.onmicrosoft.com/Hello

• Client Authentication: Send client credentials in body

• click [Clear cookies] and [Get New Access Token]

Answer 4

For the Auth URL field, you only have to enter the authorization endpoint URL without the query string parameters:

https://login.microsoftonline.com/te/{tenant}/{policy}/oauth2/v2.0/authorize

For the Access Token URL field:

https://login.microsoftonline.com/te/{tenant}/{policy}/oauth2/v2.0/token

For the Callback URL field, you must enter a reply URL that is registered with the Azure AD B2C application, such as:

https://www.getpostman.com/oauth2/callback

For the Scope field, enter "openid" as well as any API access scopes.

For the Client Authentication field, select "Send client credentials in body".