Search code examples
azureazure-active-directory

azure ad b2c run user flow doesnt return token with scopes on it

I have configured a user flow. I select Access Tokens -> Resource {One of my APIs} Scopes {All of my related scopes} and press Run User Flow and add the callback URL to be jwt.ms, I dont see the scopes on the token. Why?

Solution

  • For the scopes to be included in the token , Token endpoint must be called. When we run user flow we get an access token which is from authorization endpoint something like below:

    enter image description here

    https://xxxb2c.b2clogin.com/xxxb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_reposcope&client_id=1cf9xxxa5&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fxxxb2c.b2clogin.com%2Fxxxb2c.onmicrosoft.com%2Foauth2%2Fauthresp&scope=openid&response_type=id_token&prompt=login

    Here we get access token for app:

    enter image description here

    For scopes to be present :

    Make sure to give correct API permissions that are required to call your API, and expose an API the scopes.

    enter image description here

    expose an api:

    enter image description here

    Use below endpoint and just modify the Url which is taken from run userflow:

    response_type=code , include scopes, &scope= https://xxxb2c.onmicrosoft.com/1cf9d6axxx2a5/.default or &scope= openid profile offline_access

    Auth Url:

    https://xxx2c.b2clogin.com/xb2c.onmicrosxxxoft.com/oauth2/v2.0/authorize?p=B2C_1_reposcope&client_id=1cf9d6xxx098e2a5&client_secret=6oo8Q~Ax_ZC-xxcfw&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope= https://xxxb2c.onmicrosoft.com/1cf9xxxx18-2c719098e2a5/.default openid profile offline_access&response_type=code&prompt=login

    enter image description here

    Take the code, note it down and then check for token endpoint with scopes and correct client secret , place the copied code in below token endpoint:

    Token endpoint:

    https://xxxb2c.b2clogin.com/xxxb2c.onmicrosoft.com/oauth2/v2.0/token?p=B2C_1_reposcope&client_id=1cf9d6xxx2a5&client_secret=6oo8xxx_ZC-cfw&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=https://xxxb2c.onmicrosoft.com/1cf9xxx098e2a5/.default openid profile offline_access&response_type=id_token&prompt=login&grant_type=authorization_code&code=<paste the code here>

    Claims in token:

    Scopes can be seen in the token:

            {
    
"id_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrNHh5b2pORnVtMWtsMll0djhkbE5QNC1jNTdkTzZRR1RWQndhTmsixxxxxxxxxxxx ",
        "token_type":"Bearer",
        "not_before":1677569996,
        "id_token_expires_in":3600,
        "profile_info":"xx",
        "scope":"offline_access openid",
        "refresh_token":"eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMCIsInppcCI6IkRlZmxhdGUiLCJzZXIiOiIxLjAifQ..xxx",
        "refresh_token_expires_in":1209600
    }

    enter image description here