Request an access token in Azure Active Directory B2C (2024)

Table of Contents
In this article Prerequisites Scopes OpenID Connect scopes Request a token Next steps FAQs
  • Article

An access token contains claims that you can use in Azure Active Directory B2C (Azure AD B2C) to identify the granted permissions to your APIs. To call a resource server, the HTTP request must include an access token. An access token is denoted as access_token in the responses from Azure AD B2C.

This article shows you how to request an access token for a web application and web API. For more information about tokens in Azure AD B2C, see the overview of tokens in Azure Active Directory B2C.

Note

See Also
Azure AD: Validate access_token - Microsoft Q&ADoes an access token ever expire? - Microsoft Q&AOverview of tokens - Azure Active Directory B2CWhat Is Microsoft Azure AD B2C? | Kocho Blog

Web API chains (On-Behalf-Of) is not supported by Azure AD B2C - Many architectures include a web API that needs to call another downstream web API, both secured by Azure AD B2C. This scenario is common in clients that have a web API back end, which in turn calls another service. This chained web API scenario can be supported by using the OAuth 2.0 JWT Bearer Credential grant, otherwise known as the On-Behalf-Of flow. However, the On-Behalf-Of flow is not currently implemented in Azure AD B2C. Although On-Behalf-Of works for applications registered in Microsoft Entra ID, it does not work for applications registered in Azure AD B2C, regardless of the tenant (Microsoft Entra ID or Azure AD B2C) that is issuing the tokens.

Prerequisites

  • Create a user flow to enable users to sign up and sign in to your application.
  • If you haven't already done so, add a web API application to your Azure Active Directory B2C tenant.

Scopes

Scopes provide a way to manage permissions to protected resources. When an access token is requested, the client application needs to specify the desired permissions in the scope parameter of the request. For example, to specify the Scope Value of read for the API that has the App ID URI of https://contoso.onmicrosoft.com/api, the scope would be https://contoso.onmicrosoft.com/api/read.

Scopes are used by the web API to implement scope-based access control. For example, users of the web API could have both read and write access, or users of the web API might have only read access. To acquire multiple permissions in the same request, you can add multiple entries in the single scope parameter of the request, separated by spaces.

The following example shows scopes decoded in a URL:

scope=https://contoso.onmicrosoft.com/api/read openid offline_access

The following example shows scopes encoded in a URL:

scope=https%3A%2F%2Fcontoso.onmicrosoft.com%2Fapi%2Fread%20openid%20offline_access

If you request more scopes than what is granted for your client application, the call succeeds if at least one permission is granted. The scp claim in the resulting access token is populated with only the permissions that were successfully granted.

See Also
How to verify Azure AD B2C token?

OpenID Connect scopes

The OpenID Connect standard specifies several special scope values. The following scopes represent the permission to access the user's profile:

  • openid - Requests an ID token.
  • offline_access - Requests a refresh token using Auth Code flows.
  • 00000000-0000-0000-0000-000000000000 - Using the client ID as the scope indicates that your app needs an access token that can be used against your own service or web API, represented by the same client ID.

If the response_type parameter in an /authorize request includes token, the scope parameter must include at least one resource scope other than openid and offline_access that will be granted. Otherwise, the /authorize request fails.

Request a token

To request an access token, you need an authorization code. The following is an example of a request to the /authorize endpoint for an authorization code:

GET https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/authorize?client_id=<application-ID>&nonce=anyRandomValue&redirect_uri=https://jwt.ms&scope=<application-ID-URI>/<scope-name>&response_type=code

Replace the values in the query string as follows:

  • <tenant-name> - The name of your Azure AD B2C tenant. If you're using a custom domain, replace tenant-name.b2clogin.com with your domain, such as contoso.com.
  • <policy-name> - The name of your custom policy or user flow.
  • <application-ID> - The application identifier of the web application that you registered to support the user flow.
  • <application-ID-URI> - The application identifier URI that you set under Expose an API blade of the client application.
  • <scope-name> - The name of the scope that you added under Expose an API blade of the client application.
  • <redirect-uri> - The Redirect URI that you entered when you registered the client application.

To get a feel of how the request works, paste the request into your browser and run it.

This's the interactive part of the flow, where you take action. You're asked to complete the user flow's workflow. This might involve entering your username and password in a sign in form or any other number of steps. The steps you complete depend on how the user flow is defined.

The response with the authorization code should be similar to this example:

https://jwt.ms/?code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMC...

After successfully receiving the authorization code, you can use it to request an access token. The parameters are in the body of the HTTP POST request:

POST <tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/token HTTP/1.1Host: <tenant-name>.b2clogin.comContent-Type: application/x-www-form-urlencodedgrant_type=authorization_code&client_id=<application-ID>&scope=<application-ID-URI>/<scope-name>&code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMC...&redirect_uri=https://jwt.ms&client_secret=2hMG2-_:y12n10vwH...

If you want to test this POST HTTP request, you can use any HTTP client such as Microsoft PowerShell.

A successful token response looks like this:

{ "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN...", "token_type": "Bearer", "not_before": 1549647431, "expires_in": 3600, "expires_on": 1549651031, "resource": "f2a76e08-93f2-4350-833c-965c02483b11", "profile_info": "eyJ2ZXIiOiIxLjAiLCJ0aWQiOiJjNjRhNGY3ZC0zMDkxLTRjNzMtYTcyMi1hM2YwNjk0Z..."}

When using https://jwt.ms to examine the access token that was returned, you should see something similar to the following example:

{ "typ": "JWT", "alg": "RS256", "kid": "X5eXk4xyojNFum1kl2Ytv8dl..."}.{ "iss": "https://contoso0926tenant.b2clogin.com/c64a4f7d-3091-4c73-a7.../v2.0/", "exp": 1549651031, "nbf": 1549647431, "aud": "f2a76e08-93f2-4350-833c-965...", "oid": "1558f87f-452b-4757-bcd1-883...", "sub": "1558f87f-452b-4757-bcd1-883...", "name": "David", "tfp": "B2C_1_signupsignin1", "nonce": "anyRandomValue", "scp": "read", "azp": "38307aee-303c-4fff-8087-d8d2...", "ver": "1.0", "iat": 1549647431}.[Signature]

Next steps

  • Learn about how to configure tokens in Azure AD B2C
Request an access token in Azure Active Directory B2C (2024)

FAQs

How do I get the access token from Azure AD B2C? ›

Here are the general steps to follow: Register your application in Azure AD B2C and obtain a client ID and client secret. Use the client ID and client secret to obtain an access token from Azure AD B2C. Use the access token to call your REST API by including it in the Authorization header of your HTTP requests.

Read On
How do I get Azure AD B2C access token using Postman? ›

Use Postman to get the Azure AD token
  1. Launch Postman.
  2. For the method, select GET.
  3. On the Headers tab, add Content-Type key and application/x-www-form-urlencoded for the value.
  4. Select Send to send the request to get the token. You see the token in the result. Save the token (excluding double quotes).
May 12, 2022

Discover More Details
How do you validate Azure AD B2C access token? ›

To verify the token, you need to decrypt the signature with public key to get hash 1, hashing the header + payload to get hash 2 then compare hash 1 and hash 2. If 2 hashes are matched, then the token is valid. According to the doc. Azure AD B2C uses the RS256 algorithm, which is based on the RFC 3447 specification.

Continue Reading
What is a B2C token? ›

Azure AD B2C supports the OAuth 2.0 and OpenID Connect protocols, which makes use of tokens for authentication and secure access to resources. All tokens used in Azure AD B2C are JSON web tokens (JWTs) that contain assertions of information about the bearer and the subject of the token.

See Details
How do I get my access token? ›

Get Access Tokens
  1. To request an access token , make a POST call to the token URL.
  2. When a user authenticates, you request an access token and include the target audience and scope of access in your request. ...
  3. In only one specific instance, access tokens can have multiple target audiences.

Find Out More
Where do I find my Azure access token? ›

The token was obtained by using Azure Active Directory OAuth2 Flow. Specifically, it's OAuth2 implicit flow with the authorization URL: https://login.microsoftonline.com/common/oauth2/authorize and "user_impersonation" scope (Source). This flow only requires user sign in to get an access token.

Tell Me More
How to get bearer token from Azure Active Directory? ›

To get the Azure Active Directory token we have to do: Select the GET method. Type the request https://management.azure.com/subscriptions/{{subscriptionId}}/resourcegroups?api-version=2017-05-10. Select Authorization Type "Bearer Token", and paste the token that we have been created on the previous step.

Show Me More
How do I access Azure AD B2C? ›

Sign in to the Azure portal. If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu. Under Azure services, select Azure AD B2C. Or use the search box to find and select Azure AD B2C.

Explore More
What is an Azure Active Directory token? ›

An access token contains claims that you can use in Azure Active Directory B2C (Azure AD B2C) to identify the granted permissions to your APIs. To call a resource server, the HTTP request must include an access token. An access token is denoted as access_token in the responses from Azure AD B2C.

Continue Reading
What are the authentication options for Azure AD B2C? ›

You can configure Azure AD B2C to allow users to sign in to your application with credentials from external social or enterprise identity providers (IdPs). Azure AD B2C supports many external identity providers and any identity provider that supports OAuth 1.0, OAuth 2.0, OpenID Connect, and SAML protocols.

Show Me More

How long is the Azure B2C token? ›

The default is 60 minutes (1 hour). The minimum (inclusive) is 5 minutes. The maximum (inclusive) is 1,440 minutes (24 hours).

Read The Full Story
How do I authenticate using Azure Active Directory? ›

User Authentication: On the Azure AD sign-in page, the user enters their password and username. Token Issuance: Azure AD validates the user's identity by providing a token to the application if the credentials are acceptable. Access Granted: The legitimacy of the token is verified by the software.

See Details
What is the difference between Azure AD and Azure B2C? ›

Azure Active Directory vs Azure AD B2C

While Azure AD is primarily designed for businesses to manage their internal resources and applications, Azure AD B2C is a cloud-based customer identity and access management solution that enables businesses to manage their customer-facing applications and services.

Get More Info Here
How does B2C authentication work? ›

It requires you to present users with a form to enter their username and password. As mentioned in the guidance concerning Universal Login, the simplest and safest way to authenticate users with a username and password is to redirect them to a centralized login page and collect their username and password there.

Continue Reading
How do I get the JWT token from Azure AD? ›

In order to get the JWT token, we need to first hit the azure /token by providing the client credentials. Go back to Azure Portal and click on the application name that we registered in the Azure AD and in the overview screen, click “Endpoints“.

View More
How do I get an access token for management Azure com? ›

Manually create a SAS token
  1. Navigate to your Azure API Management instance in the Azure portal.
  2. Select Management API from the Deployment + infrastructure section of the menu on the left.
  3. In Enable API Management REST API, select Yes. ...
  4. Specify the expiration date and time for the access token in the Expiry text box.
Sep 10, 2024

View Details
How to get OAuth 2.0 access token? ›

  1. Obtain OAuth 2.0 credentials from the Google API Console.
  2. Obtain an access token from the Google Authorization Server.
  3. Examine scopes of access granted by the user.
  4. Send the access token to an API.
  5. Refresh the access token, if necessary.
Jul 16, 2024

See More
Top Articles
A LAYMANS GUIDE TO INSOLVENCY; PART 1 - Business Registration Service
601.106 OMB approval under the Paperwork Reduction Act.
Polyhaven Hdri
Tyrunt
Bluegabe Girlfriend
More Apt To Complain Crossword
83600 Block Of 11Th Street East Palmdale Ca
Ucf Event Calendar
Daniela Antury Telegram
Cincinnati Bearcats roll to 66-13 win over Eastern Kentucky in season-opener
Mid90S Common Sense Media
What Is Njvpdi
Aktuelle Fahrzeuge von Autohaus Schlögl GmbH & Co. KG in Traunreut
Theycallmemissblue
Chicken Coop Havelock Nc
Hijab Hookup Trendy
This Modern World Daily Kos
D10 Wrestling Facebook
Extra Virgin Coconut Oil Walmart
1773X To
Air Force Chief Results
Lawson Uhs
Delaware Skip The Games
Epguides Strange New Worlds
Jeff Nippard Push Pull Program Pdf
Obituaries Milwaukee Journal Sentinel
Haunted Mansion Showtimes Near Epic Theatres Of West Volusia
Kentuky Fried Chicken Near Me
Sofia the baddie dog
Finding Safety Data Sheets
Random Bibleizer
Bayard Martensen
2004 Honda Odyssey Firing Order
Taylored Services Hardeeville Sc
Astro Seek Asteroid Chart
Korg Forums :: View topic
031515 828
Housing Intranet Unt
Prévisions météo Paris à 15 jours - 1er site météo pour l'île-de-France
Grove City Craigslist Pets
Basil Martusevich
Emiri's Adventures
JD Power's top airlines in 2024, ranked - The Points Guy
THE 10 BEST Yoga Retreats in Konstanz for September 2024
South Bend Tribune Online
Weather In Allentown-Bethlehem-Easton Metropolitan Area 10 Days
13 Fun &amp; Best Things to Do in Hurricane, Utah
Elven Steel Ore Sun Haven
Arch Aplin Iii Felony
Fluffy Jacket Walmart
Jeep Forum Cj
Game Like Tales Of Androgyny
Latest Posts
m1 clock speed? - Apple Community
Commercial Auto Insurance – Business Auto Policy (BAP)
Article information

Author: Kelle Weber

Last Updated:

Views: 5732

Rating: 4.2 / 5 (73 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Kelle Weber

Birthday: 2000-08-05

Address: 6796 Juan Square, Markfort, MN 58988

Phone: +8215934114615

Job: Hospitality Director

Hobby: tabletop games, Foreign language learning, Leather crafting, Horseback riding, Swimming, Knapping, Handball

Introduction: My name is Kelle Weber, I am a magnificent, enchanting, fair, joyous, light, determined, joyous person who loves writing and wants to share my knowledge and understanding with you.