Login/Register
Request Access Token in Postman for Azure AD B2C
Asked Answered
Solved postmanazure-ad-b2c
R

6

23

How can I request an Access Token in Postman against an Azure AD B2C tenant?

new access token screenshot

I tried taking the url from Run Now in the Azure portal and putting that in the Auth Url but that produces the following error:

b2c error

Update

Following Chris's answer, I'm now past the above error. I'm able to sign-in but still can't get an access token:

AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again. Correlation ID: 45c56d47-4739-465f-8e02-49ba5b3a1b86 Timestamp: 2017-11-16 15:27:52Z

Regional answered 13/11, 2017 at 23:11 Comment(1)
"AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again. " Azure AD B2C returns this error message if the client secret has expired. And possibly for many other reasons, but it is one thing to check.Minivet
R
20

Using @Chris Padgett's answer, I was able to get it working using the Implicit Grant Type (couldn't get it working w/ Authorization Code Gran Type).

Grant Type: Implicit

Callback URL: any URL defined in my B2C app

Auth URL: https://{tenant}.b2clogin.com/te/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize

Client ID: Application ID from my B2C app

Scope: https://{tenant}.onmicrosoft.com/{web api app id uri}/{scope name}

Client Authentication: Either one, it didn't matter

Regional answered 30/11, 2017 at 0:30 Comment(6)
Hey, I just wanted to say thanks for documenting all the hard yards with this B2C stuff - everywhere I look for answers I see spottedmahn has already asked the question, done the research and got an answer, usually with success! It's been very useful, far better than trying to figure out Microsoft's (usually) out of date docs on the subject. Kudos.Verwoerd
Hey @Verwoerd - you're welcome! It takes a community, right! BTW, I tried looking for you on Twitter as not bloat the SO comments. Your comment made my day! Thanks!!Regional
Has anyone got this working where the API that you're trying to test with Postman is server up by Azure functions? I've got the spottedmahn/microsoft approach working for an aspnet MVC app but it's not working an Azure Function App which uses same azure b2c tenant. I'm going to post a separate question for that ....Vibrate
Hi @Vibrate - did you post that follow question? If so, can you share the link? ThanksRegional
@spottedmahn: #49304738 - cheers!Vibrate
But wanted to mention that I've opened 2 documentation issues @MS related to that: "Documentation "Azure Active Directory B2C: OAuth 2.0 authorization code flow" not in sync with "Use Postman to get a token and test the API"" - github.com/aspnet/Docs/issues/10335 - github.com/MicrosoftDocs/azure-docs/issues/22164 Furthermore I've recorded an issue regarding "B2C quick-start/tutorial implementation not correct aligned with Set redirect URLs to b2clogin.com for Azure Active Directory B2C" - github.com/Azure-Samples/… -Stgermain
S
10

Getting this setup was a bit of a headache. Here's what I stitched together from the answers in this thread, updated to take advantage of Postman's Grant Type: Authorization Code (With PKCE)

Credit also goes out to https://blogs.aaddevsup.xyz/2020/08/performing-azure-ad-oauth2-authorization-code-grant-flow-with-pkce-in-postman/ for the starting point.

Using: Azure B2C Tenant, JS SPA frontend, Azure Function backend.

Azure Portal (Azure AD B2C)

  • Setup for the SPA and backend is more or less as described in this MS document (Careful, some parts are out of date!) : https://learn.microsoft.com/en-us/azure/api-management/howto-protect-backend-frontend-azure-ad-b2c

  • @ SPA application registration > Authentication blade > Add this value to 'Single-page application Redirect URIs' https://oauth.pstmn.io/v1/callback

  • @ Azure AD B2C | App registrations, click on 'endpoints' (blue globe icon @ top)

  • Record Azure AD B2C OAuth 2.0 token endpoint (v2) and Azure AD B2c 2.0 authorization endpoint (v2)

Postman

  • Authorization: Oauth 2.0
  • Add auth data to: Request Headers

Configure New Token

  • Token Name: WhateverYouWant

  • Grant Type: Auth Code with PKCE

  • CallbackURL: https://oauth.pstmn.io/v1/callback

  • [ ] Authorize using browser (Unchecked)

  • Auth URL: https://< tenant-name >.b2clogin.com/< tenant-name >.onmicrosoft.com/< policy-name> /oauth2/v2.0/authorize

  • Access Token URL: https://< tenant-name >.b2clogin.com/< tenant-name >.onmicrosoft.com/< policy-name >/oauth2/v2.0/token

  • Client ID: < your-SPA-Application-ID-aka-client-ID >

  • Client Secret : < EMPTY >

  • Code Challenge Method: SHA-256

  • Code Verifier: < EMPTY >

  • State: < EMPTY >

  • Scope: something like < tenant name >.onmicrosoft.com/Hello

  • Client Authentication: Send client credentials in body

  • click [Clear cookies] and [Get New Access Token]

Scala answered 3/6, 2021 at 16:9 Comment(4)
This doesn't work for me - I at the minimum need to provide a client secret when using auth code with pkceEllaelladine
@GustavWengel Perhaps you have implicit flow enabled? One of the reasons I prefer working with PKCE is that it does not require submitting a client secret. I confirmed that the above setup works fine with my configuration. Feel free to message me if you'd like to discuss.Scala
This was a huge help for me. Appreciate the breakdown. I had found the blog post mentioned above but wasn't able to follow it through until I found this SO answer.Catchpenny
Worked for me using the browser to authenticate until today when it stopped.Segovia
S
6

2020-05-26 UPDATE

Microsoft changed the login URL for Azure Active Directory B2C as you can see here.

So @spottedmahn answer has to be updated to:

Grant Type: Implicit

Callback URL: any URL defined in my B2C app

Auth URL: https://{tenant}.b2clogin.com/te/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize

Client ID: Application ID from my B2C app

Scope: https://{tenant}.onmicrosoft.com/{web api app id uri}/{scope name}

Client Authentication: Either one, it didn't matter

Sensuous answered 26/5, 2020 at 16:14 Comment(1)
Hi NDalvise 👋 - please feel free to update my answer so we only have one answer for SO users to find the solution quicklyRegional
A
2

For the Auth URL field, you only have to enter the authorization endpoint URL without the query string parameters:

https://login.microsoftonline.com/te/{tenant}/{policy}/oauth2/v2.0/authorize

For the Access Token URL field:

https://login.microsoftonline.com/te/{tenant}/{policy}/oauth2/v2.0/token

For the Callback URL field, you must enter a reply URL that is registered with the Azure AD B2C application, such as:

https://www.getpostman.com/oauth2/callback

For the Scope field, enter "openid" as well as any API access scopes.

For the Client Authentication field, select "Send client credentials in body".

Arnica answered 13/11, 2017 at 23:35 Comment(5)
I'm getting The redirect URI '/' provided in the request is not registered for the client id '60a724bd-a41b-4387-806b.....Regional
I've updated the above answer with example of a callback URL that must also be registered with the Azure AD B2C application.Arnica
thanks Chris but still no luck. I've tried the above callback and jwt.ms but I get an internal error. I've updated my question.Regional
Can you please replace the screen shot removing any secret values?Arnica
Sure thing. I've been using a client's tenant. Let me try against my personal one so I can share everything.Regional
S
1

I could get B2C Request Access Token in Postman working for both grant types: grant_type=implicit and as well grant_type=authorization_code. I've opened accordingly an issue regarding the MS documentation:

The following changes were necessary:

The only differences between grant_type=implicit and grant_type=authorization_code are that grant_type=authorization_code needs some more parameters as follows:

  • Access Token (access token request) URL: https://login.microsoftonline.com/"tenant-name".onmicrosoft.com/oauth2/v2.0/token?p=B2C_1_"name-of-your-signup-signin-flow"

  • client_secret: generate a key for your application: Azure Portal -> Azure AD B2C -> Applications -> -> Keys -> Generate Key

Stgermain answered 11/1, 2019 at 9:12 Comment(0)
T
0

I just want to add some extra information for prosperity since I have recently spent way too long trying to resolve an issue relating to the error AADB2C90085 and this question is one of the few results on Google.

Update

Following Chris's answer, I'm now past the above error. I'm able to sign-in but still can't get an access token:

AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again. Correlation ID: 45c56d47-4739-465f-8e02-49ba5b3a1b86 Timestamp: 2017-11-16 15:27:52Z

And:

Using @Chris Padgett's answer, I was able to get it working using the Implicit Grant Type (couldn't get it working w/ Authorization Code Gran Type).

I received this error when using authorization code flow because my B2C_1A_TokenSigningKeyContainer and B2C_1A_TokenEncryptionKeyContainer were incorrectly generated. Once I followed the guide at Get started with custom policies in Azure Active Directory B2C the error stopped occurring.

Relevant excerpt from the link:

Create the signing key

  1. Select Policy Keys and then select Add.
  2. For Options, choose Generate.
  3. In Name, enter TokenSigningKeyContainer. The prefix B2C_1A_ might be added automatically.
  4. For Key type, select RSA.
  5. For Key usage, select Signature.
  6. Click Create.

Create the encryption key

  1. Select Policy Keys and then select Add.
  2. For Options, choose Generate.
  3. In Name, enter TokenEncryptionKeyContainer. The prefix B2C_1A_ might be added automatically.
  4. For Key type, select RSA.
  5. For Key usage, select Encryption.
  6. Click Create.
Tallowy answered 8/11, 2018 at 13:6 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.