Search code examples
azureazure-active-directorypostmanazure-ad-b2caccess-token

Request an access token in Azure Active Directory B2C Error

I am trying to exchange for an access token from Azure B2C to identify for the User's oid right after they sign up or sign in, but each time I make the request, I encounter the following error message:

Status 404 Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

The guide I followed is from Microsoft's page: https://learn.microsoft.com/en-us/azure/active-directory-b2c/access-tokens

POST <tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/token HTTP/1.1
Host: <tenant-name>.b2clogin.com
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&client_id=<application-ID>
&scope=<application-ID-URI>/<scope-name>
&code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMC...
&redirect_uri=https://jwt.ms
&client_secret=2hMG2-_:y12n10vwH...

Here is what I have in place of Microsoft's example:

URL: dev.mycompanyname.net.b2clogin.com/devb2c.dev.mycompanyname.net.onmicrosoft.com/B2C_1_Sign/oauth2/v2.0/token

dev.mycompanyname.net is retrieved from either (Microsoft Entra ID -> Overview -> Primary domain) or (Azure AD B2C -> Overview -> Domain Name) Both gave me 'dev.mycompanyname.net'

B2C_1_Sign is retrieved from (Azure AD B2C --> Policies --> User Flows --> Name -->  'A policy I used to sign in, the exact name')

grant_type=authorization_code

client_id=I got this value from (App Registration --> My App --> Overview --> Application (client) ID)

code=(The exact code after ?code=, when the sign up or sign in process finish and my callback, or redirect gets called)

redirect_uri=(App Registration --> My App --> Managed --> Authentication --> Redirect URls)

client_secret=I got this from (App Registration --> My App --> Managed --> Certificates & Secrets --> Value)

I removed scope as I didn't have any scope added.

Here is the screenshot of Postman with the values:

enter image description here

Here is what I have as the Headers:

Content-Type: application/x-www-form-urlencoded
Host: dev.mycompanyname.net.b2clogin.com

enter image description here

I am using tenant name with what I see as the domain name:

enter image description here

I have my redirect Url added and matching.

What am I missing here, why am I not able to exchange the code for an access token?

SOLUTION:

Thank you @Sridevi, my URL was indeed incorrect. For some reason, the tenant name that I got was incorrect, even though that is where Microsoft tells me to look. For anyone facing a similar issue on the URL, and think its their tenant name, I got a different tenant name from the Manifest.

Azure Home -> App Registration -> All Apps -> 'Choose your App' -> Manage -> Manifest -> publisherDomain -> 'Value'.onmicrosoft.com

Mine was:
"publisherDomain": "clientdevb2c.onmicrosoft.com"

I grabbed the 'clientdevb2c' part as my tenant name.

Solution

  • Initially, I registered one application with redirect URI as https://jwt.ms in my Azure AD B2C tenant:

    enter image description here

    Now, I enabled Application ID URI and exposed an API with below scope:

    enter image description here

    Make sure to add this scope in API permissions and grant admin consent to it:

    enter image description here

    To request an access token, you need an authorization code. You can run below authorization request in browser to get code:

    GET https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/authorize?
client_id=<application-ID>
&nonce=anyRandomValue
&redirect_uri=https://jwt.ms
&scope=<application-ID-URI>/<scope-name>
&response_type=code

    enter image description here

    Once the authentication is successful, you will get code value in address bar like this:

    enter image description here

    To request the access token in Azure AD B2C, I used below parameters in Postman and got response like this:

    POST https://b2ctenantname.b2clogin.com/b2ctenantname.onmicrosoft.com/B2C_1_SignIn/oauth2/v2.0/token
grant_type:authorization_code
client_id:appId
scope: https://b2ctenantname.onmicrosoft.com/appId/Files.Read
code: <code from above request>
redirect_uri: https://jwt.ms
client_secret: secret

    Response:

    enter image description here

    You can decode this access token in jwt.ms website to find the signed-in user's Object ID:

    enter image description here

    The error you are getting usually occur if you include any extra/invalid character in B2C tenant name while running token request.

    When I ran same token request with extra character - in tenant name, I too got same error like this:

    POST https://b2c-tenant-name.b2clogin.com/b2c-tenant-name.onmicrosoft.com/B2C_1_SignIn/oauth2/v2.0/token
grant_type:authorization_code
client_id:appId
scope: https://b2ctenantname.onmicrosoft.com/appId/Files.Read
code: <code from above request>
redirect_uri: https://jwt.ms
client_secret: secret

    Response:

    enter image description here

    In your case, make sure to pass your Azure AD B2C tenant's name in the token request correctly.