Home > Blockchain >  Scope missing in access token claims in Azure B2C OAuth Client credential flow
Scope missing in access token claims in Azure B2C OAuth Client credential flow

Time:08-22

I have followed the enter image description here

I have also generated a client secret and attempted to retrieve a token using the client-credentials grant type. While it returns a valid token. It doesn't appear to contain the scp claim which should be the access_as_***** value. How might I get this claim to appear in the token response when the access_token is decoded?

enter image description here

CodePudding user response:

Please note that, client-credentials grant type works with Application permissions only. As your exposed API scope is Delegated, it won't work with client-credentials grant type.

In addition to that, you are using wrong token endpoint to generate the token.

You can get token endpoint of your application like below:

Go to Azure Portal -> Azure AD B2C -> App registrations -> Your App -> Overview -> Endpoints

enter image description here

I tried to reproduce the same in my environment and got the below results:

I have registered an API application and created AppRole by changing its manifest like below:

"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"description": "Access API",
"displayName": "Demo",
"id": "xxxx-xxxx-xxxx-xxxx-xxxxxxxx",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "access_as_api"
}
],

Manifest of MyAPI:

enter image description here

To generate the id, you can user either PowerShell or online GUID generator

I added this API scope in my application like below:

enter image description here

Make sure to grant consent for that added permission and it is of Application type:

enter image description here

I generated the access token using client-credentials grant type like below:

enter image description here

I got the scp claim successfully when I decoded the token like below:

enter image description here

  • Related