Why do I get a 400 - Bad Request when requesting an access token from Azure B2C using the ROPC flow?

Kzryzstof
April 29, 2024
241 views
0 votes
2 Answers

Context

I have an Azure B2C tenant with an App Registration called App Simulator. I have a .net 8 C# console App that simulates activity on my application. To simulate users, the console app connects to Azure B2C using a dedicated User Flow that uses Resource Owner Password Credentials (ROPC) to get an access token.

I believe I followed the steps described in Microsoft’s documentation.

Here is the URL I use to get the access token:

POST https://<my_tenant>.b2clogin.com/<my_tenant>.onmicrosoft.com/B2C_1_<my_ropc>/oauth2/v2.0/token

Here is the body of my request with a content type of application/x-www-form-urlencoded:

username: "<my_user>@<my_tenant>.onmicrosoft.com"
password: "<password>"
scope: "openid <my_app_registration_id>"
client_id: "<my_app_registration_id>"
response_type: "token id_token"
grant_type: "password"

The MFA is disabled for the user.

Problem

I can’t get the token: I always get a 400 Bad Request status code from B2C, without any details or logs (aside from the non_parsable_oauth_error indicated by MSAL).

Here is the configuration of the App Registration:

oauth2AllowImplicitFlow = true

And the Granted Permissions:

Question

Why do I get a 400 - Bad Request when requesting an access token from Azure B2C using the ROPC flow in Postman?

Answers

- ArchitectJamie
- April 27, 2024 at 8:15 pm
- 0 votes
0
The body of your request is not formed properly. The body needs to use URL parameter encoding, as if you were submitting a form.

Try your POST again with the following body:

username=<my_user>@<my_tenant>.onmicrosoft.com&password=<password>&scope=openid+<my_app_registration_id>&client_id=<my_app_registration_id>&response_type=token+id_token&grant_type=password

Login or Signup to reply.

- Sridevi
- April 29, 2024 at 8:34 am
- 0 votes
0
The error occurs if you missed selecting valid ‘Supported account type’ to work with user flows while registering Azure AD B2C application.

I created one application in my Azure B2C tenant with ‘Supported account type’ as below:

Initially, I too got same error when I tried to generate access token using ROPC flow via Postman for above application:
```
POST https://<my_tenant>.b2clogin.com/<my_tenant>.onmicrosoft.com/B2C_1_<my_ropc>/oauth2/v2.0/token

username: <my_user>@<my_tenant>.onmicrosoft.com
password: <password>
scope: openid <my_app_registration_id>
client_id: <my_app_registration_id>
response_type: token id_token
grant_type: password
```
Response:

To resolve the error, make sure to register the application with Supported account type as "Accounts in any identity provider or organizational directory (for authenticating users with user flows)":

Now I granted same API permissions as you in B2C app registration like this:

In App registration’s Manifest, I enabled below settings to "true" as below:

Enabled mobile and desktop flows option to allow public clients:

When I replaced client_id and scope with above application ID, I got response with access token successfully like this:
```
POST https://<my_tenant>.b2clogin.com/<my_tenant>.onmicrosoft.com/B2C_1_<my_ropc>/oauth2/v2.0/token

username: <my_user>@<my_tenant>.onmicrosoft.com
password: <password>
scope: openid <my_app_registration_id>
client_id: <my_app_registration_id>
response_type: token id_token
grant_type: password
```
Response:

From your API permissions image, I observed you added profile permission that won’t be present in B2C app registration created with Supported account type as "Accounts in any identity provider or organizational directory (for authenticating users with user flows)".

To resolve your issue, create new B2C app registration with supported type allowing user flows and generate token again as I mentioned above.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.

Why do I get a 400 – Bad Request when requesting an access token from Azure B2C using the ROPC flow?

Answers