How can I Retrieve Access Token with password credentials in Postman for Azure AD B2C?
Question: What I am trying to perform?
Answer: I am trying to automate the retrieval of Auth Bearer token for API testing
Current Scenario: I have followed this wiki Request Access Token in Postman for Azure AD B2C
I am able to retrieve the Auth Bearer token with Grant Type Implicit. Although, I need to add my username and password in the next step as shown in the image:
If I change the Grant type to Password Credentials to skip manual adding the username and password - the call is successful but it gave an invalid token:
The MFA is enable at the user level. I have created Sign In Sign up flow with MFA Off (although tries both Off and Always On, but it still gave the same invalid token):
How I can bypass the MFA and automate the sign In and retrieve Access Token?
Method 2 : Followed these ROPC way to retrieve the Token
I am able to retrieve the Accesstoken from Postman but If use this token in my Application for REST API calls (Both applications ROPC_Auth App and other application are under the same Tenant B2C), I got an error making a call using this Auth Bearer Token/Access Token : Error Details: enter image description here
Method 3 : If I use the Application/Client ID for the application under the same Tenant which is working manually, I got this error testing the ROPC Flow.
{
"error": "unauthorized_client",
"error_description": "AADB2C90057: The provided application is not configured to allow the 'OAuth' Implicit flow.\r\nCorrelation ID: 25661033-61b9-4f59-8358-4cd07ad9b007\r\nTimestamp: 2022-01-13 22:38:52Z\r\n"
}
The troubleshooting part says to change the manifest details, which I did then I got this error
"{
"error": "invalid_request",
"error_description": "AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation.\r\nCorrelation ID: 45dcc3bf-74d6-4536-8ab4-d2025dc9ecb0\r\nTimestamp: 2022-01-13 21:58:57Z\r\n"
}"
• I followed the below documentation link thoroughly as a prerequisite to the ROPC (Resource Owner Password Credential) flow which you were trying to do. I successfully requested an access token, refresh token and ID token through Postman by following the below documentation link correctly for using the ROPC_Auth policy as a user flow for an application registered in Azure AD B2C.
Prerequisite Azure AD B2C link: - https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy
ROPC flow Azure AD B2C link: - https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-custom-policy#test-the-ropc-flow
Please find the below snapshots of the successful deployment: -
ROPC_Auth Application in Azure AD B2C
Application Manifest changes: -
Identity Experience framework application in Azure AD B2C: -
Proxy Identity Experience Framework application in Azure AD B2C: -
ROPC_Auth Policy in Azure AD B2C: -
Before requesting tokens through Postman, ensure to run the user flow through the ‘Signup_signin’ B2C custom policy and create a user through it as this user’s credentials created will only be used later in Postman as Password credentials authentication request.
Postman ROPC request: -
Thus, in this way, you can use ‘Password credentials’ flow successfully through Postman to get access token, refresh token and ID token for an application successfully.
- Access to fetch at https://accounts.google.com/o/oauth2/v2/auth has been blocked by CORS
- Role-based authentication not working with Keycloak and Java Spring
- What If Session Expires While User Is Still On The Website
- Remix run: Authentication succeeds on validation failures
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Using two or more SecurityFilterChains with Spring Security 6 does not work properly, only one chain is invoked
- What is the purpose of the 'state' parameter in OAuth authorization request
- OAuth 2.0 Single Client Configuration for Web and Mobile Applications
- OAuth 2 access_token vs OpenId Connect id_token
- Spring Security - Multiple OAuth2 Identity providers (github and google) work with only one Bean with @Prirmary?
- Error in oAuth2 Google APIs - invalid_request "You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy"
- MSAL Node service & The Partner Center API
- How to change the app name for Firebase authentication (what the user sees)
- Generate token fails for Azure app which is both client and API (client credentials workflow)
- Is it okay to encrypt a 3rd party access token and refresh token, in an encrypted JWT?
- Is a Client Secret Required for Google OAuth 2.0 using the PKCE Authorization Flow? Should I Expose the Client Secret Publicly?
- What is the purpose of a "Refresh Token"?
- Pagination with oauth azure data factory
- How to use supabase google auth provider in react naive expo app
- How to bypass keycloak login page and provide client suggested idp with spring security
- Issue with Discord OAuth2 redirect_uri component
- npm install error - invalid package.json
- Google Identity Platform: Using OAuth 2.0 in Powershell using Firebase Admin SDK private key
- Can I get the company name/logo with the LinkedIn API?
- PayPal REST API credentials of another business or party
- Configuring spring-boot-starter-oauth2-client to authenticate with Azure AD
- Problems logging into coinbase api with oauth2
- Azure authentification for multiple audience using WithExtraScopesToConsent and AcquireTokenSilent
- Microsoft OAuth authorization code flow CORS
- How to authorize a request to the FCM v1 API with an access token