Using OAuth2 Client Credentials grant type in Azure ADB2C

In the past, I worked on a project in which we had had to registered applications in both regular azure AD and azure ADB2C tenants just because OAuth2 Client Credentials grant type was not supported in Azure ADB2C. However, I recently learned that it is now possible to use the grant type to obtain an access token for an app in azure ADB2C.

Not so long ago, it was not possible to obtain an access token for an application registered in azure ADB2C using OAuth2 Client Credential grant type. This fact was obvious in both Microsoft’s document and the token endpoint. For instance, the token endpoint is specific to a user flow. However, OAuth2 Client Credentials grant type does not involve a user interaction because it is for service-to-service communication.

In the old version of current limitations of Azure B2C, Microsoft stated that Oauth2 Client Credentials grant type was not supported. The document has been updated. However, here is the content quoted in a SO post.

Applications that contain long-running processes or that operate without the presence of a user also need a way to access secured resources, such as Web APIs. These applications can authenticate and get tokens by using the application’s identity (rather than a consumer’s delegated identity) in the OAuth 2.0 client credentials flow. This flow is not yet available in Azure AD B2C, so for now, applications can get tokens only after an interactive consumer sign-in flow has occurred.

Azure B2C client credentials grant

Microsoft has updated the document to indicate that is now possible to use OAuth2 Client Credentials grant type in Azure ADB2C.

Although the OAuth 2.0 client credentials grant flow is not currently directly supported by the Azure AD B2C authentication service, you can set up client credential flow using Azure AD and the Microsoft identity platform /token endpoint for an application in your Azure AD B2C tenant. An Azure AD B2C tenant shares some functionality with Azure AD enterprise tenants.

Application types supported by Azure ADB2C

I tested it out and it worked for me. Here is a sample POST request

curl --location --request POST 'https://login.microsoftonline.com/{client-id}/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_secret={client-secret}' \
--data-urlencode 'client_id={client-id}' \
--data-urlencode 'scope=https://graph.microsoft.com/.default'

In the above request, {client-id} refers to the id of the app I registered in azure B2C, and {client-secret} the secret of the app. Not that the parameters are encoded in the body of the request, and not included in the query parameters. At first, I mistakenly put the parameters in the query parameters and that did not work.

You can also use Microsoft Graph SDK to obtain an access token for your Azure ADB2C app by implementing a IAuthenticationProvider and use the client credentials of your app. To learn more, check out the document.

References

Azure B2C client credentials grant

Manage Azure ADB2C with Microsoft Graph

Build .NET Core apps with Microsoft Graph

Choose a Microsoft Graph authentication provider based on scenario