Calling web api from SPA giving error: Azure AD b2c
Here is my aim: I would like to get an access token to call web api from my Spa application.
I created 2 azure b2c applications; one for web api and other for spa application(client).
I added scopes(api.read) by exposing api in web api application. I granted permission to these scopes from spa application.
I created one userflow with Sign up and sign in policy.
To generate the token, I used PKCE flow by getting auth code.
POST https://tenant.b2clogin.com/tenant.onmicrosoft.com/policy/oauth2/v2.0/token
grant_type: authorization_code
client_id: api_appid
scope: https://tenant.onmicrosoft.com/web_api/api.read
redirect_uri: https://localhost:435
code:
code_verifier:
The thing is I get the token but while calling the web api, it's giving error like:
Either scp or roles claim need to be present in the token
What could be the problem?
I tried to reproduce the same in my environment and got below results:
I registered one Azure AD B2C application for Web API and added scopes as below:
Now I created one SPA registration and added API permissions by granting consent like this:
I created Sign up and sign in policy and ran the user flow as below:
When I signed-in as a user it gave me auth-code in address bar like below:
I generated the access token via Postman with parameters like this:
POST https://tenant.b2clogin.com/tenant.onmicrosoft.com/policy/oauth2/v2.0/token
grant_type: authorization_code
client_id: SPA_appid
scope: https://tenant.onmicrosoft.com/web_api/api.read
redirect_uri: redirect_uri
code: code
code_verifier: code_verifier
When I decoded the token, I got the scp claim successfully like below:
Make sure to select Application as SPA App and resource as Web_api while running the user flow to get auth code.
While generating access token, you should give SPA_AppId in client_id parameter.
- OAuth 2.0 Single Client Configuration for Web and Mobile Applications
- OAuth 2 access_token vs OpenId Connect id_token
- Spring Security - Multiple OAuth2 Identity providers (github and google) work with only one Bean with @Prirmary?
- Error in oAuth2 Google APIs - invalid_request "You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy"
- MSAL Node service & The Partner Center API
- How to change the app name for Firebase authentication (what the user sees)
- Generate token fails for Azure app which is both client and API (client credentials workflow)
- Is it okay to encrypt a 3rd party access token and refresh token, in an encrypted JWT?
- Is a Client Secret Required for Google OAuth 2.0 using the PKCE Authorization Flow? Should I Expose the Client Secret Publicly?
- What is the purpose of a "Refresh Token"?
- Pagination with oauth azure data factory
- How to use supabase google auth provider in react naive expo app
- How to bypass keycloak login page and provide client suggested idp with spring security
- Issue with Discord OAuth2 redirect_uri component
- npm install error - invalid package.json
- Google Identity Platform: Using OAuth 2.0 in Powershell using Firebase Admin SDK private key
- Can I get the company name/logo with the LinkedIn API?
- PayPal REST API credentials of another business or party
- Configuring spring-boot-starter-oauth2-client to authenticate with Azure AD
- Problems logging into coinbase api with oauth2
- Azure authentification for multiple audience using WithExtraScopesToConsent and AcquireTokenSilent
- Microsoft OAuth authorization code flow CORS
- How to authorize a request to the FCM v1 API with an access token
- Error creating bean with name 'corsConfigurationSource'
- MailKit OAuth2 SMTP Office365 Send Mail
- Which the correct way to implement an API request
- Issue with assessing data in blob storage using OAuth tokens from a dotnet app
- How do you access a patient's data via FHIR API?
- Unable to refresh access token : response is "unauthorized_client"
- How do I connect to Exchange Online using OAuth 2.0 in MailKit?