Question posted in 
I’m new to Azure B2C. This is the file called "trustframeworkextension.xml" that I’m using.
After I logged in through my identity provider (IDP), I received a error message saying, "Message: Basic credentials specified for ‘REST-AcquireAccessTokenForGraph’ are invalid. Check that the credentials are correct and that access has been granted by the resource."
Can you help me fix this issue?
<TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" TenantId="testingorganization.onmicrosoft.com" PolicyId="B2C_1A_TrustFrameworkExtensions" PublicPolicyUri="http://testingorganization.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions" TenantObjectId="da0052bc-b835-4855-bc14-df4cb987c518">
<BasePolicy>
<TenantId>testing.onmicrosoft.com</TenantId>
<PolicyId>B2C_1A_TrustFrameworkBase</PolicyId>
</BasePolicy>
<BuildingBlocks>
<ClaimsSchema>
<ClaimType Id="groups">
<DisplayName>Collection of group membership IDs</DisplayName>
<DataType>stringCollection</DataType>
</ClaimType>
<ClaimType Id="group_1">
<DisplayName>Group 1</DisplayName>
<DataType>string</DataType>
</ClaimType>
<ClaimType Id="group_2">
<DisplayName>Group 2</DisplayName>
<DataType>string</DataType>
</ClaimType>
<ClaimType Id="group_3">
<DisplayName>Group 3</DisplayName>
<DataType>string</DataType>
</ClaimType>
<ClaimType Id="isMemberOfAllowGroup">
<DisplayName>isMemberOfAllowGroup</DisplayName>
<DataType>boolean</DataType>
</ClaimType>
<ClaimType Id="grant_type">
<DisplayName>Grant type</DisplayName>
<DataType>string</DataType>
</ClaimType>
<ClaimType Id="scope">
<DisplayName>scope</DisplayName>
<DataType>string</DataType>
</ClaimType>
<ClaimType Id="bearerToken">
<DisplayName>Bearer token</DisplayName>
<DataType>string</DataType>
</ClaimType>
<ClaimType Id="responseMsg">
<DisplayName>Error</DisplayName>
<DataType>string</DataType>
<UserInputType>Paragraph</UserInputType>
</ClaimType>
</ClaimsSchema>
<ClaimsTransformations>
<ClaimsTransformation Id="AddGroup_1" TransformationMethod="AddItemToStringCollection">
<InputClaims>
<InputClaim ClaimTypeReferenceId="group_1" TransformationClaimType="item" />
<InputClaim ClaimTypeReferenceId="groups" TransformationClaimType="collection" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="groups" TransformationClaimType="collection" />
</OutputClaims>
</ClaimsTransformation>
<ClaimsTransformation Id="AddGroup_2" TransformationMethod="AddItemToStringCollection">
<InputClaims>
<InputClaim ClaimTypeReferenceId="group_2" TransformationClaimType="item" />
<InputClaim ClaimTypeReferenceId="groups" TransformationClaimType="collection" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="groups" TransformationClaimType="collection" />
</OutputClaims>
</ClaimsTransformation>
<ClaimsTransformation Id="AddGroup_3" TransformationMethod="AddItemToStringCollection">
<InputClaims>
<InputClaim ClaimTypeReferenceId="group_3" TransformationClaimType="item" />
<InputClaim ClaimTypeReferenceId="groups" TransformationClaimType="collection" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="groups" TransformationClaimType="collection" />
</OutputClaims>
</ClaimsTransformation>
<ClaimsTransformation Id="CheckIfMemberOfAllowGroup" TransformationMethod="StringCollectionContains">
<InputClaims>
<InputClaim ClaimTypeReferenceId="groups" TransformationClaimType="inputClaim" />
</InputClaims>
<InputParameters>
<InputParameter Id="item" DataType="string" Value="admins" />
<InputParameter Id="ignoreCase" DataType="string" Value="true" />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="isMemberOfAllowGroup" TransformationClaimType="outputClaim" />
</OutputClaims>
</ClaimsTransformation>
</ClaimsTransformations>
</BuildingBlocks>
<ClaimsProviders>
<ClaimsProvider>
<DisplayName>Facebook</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="Facebook-OAUTH">
<Metadata>
<Item Key="client_id">facebook_clientid</Item>
<Item Key="scope">email public_profile</Item>
<Item Key="ClaimsEndpoint">https://graph.facebook.com/me?fields=id,first_name,last_name,name,email</Item>
</Metadata>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<ClaimsProvider>
<DisplayName>Local Account SignIn</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="login-NonInteractive">
<Metadata>
<Item Key="client_id">Proxyapplicationid</Item>
<Item Key="IdTokenAudience">identityid</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="client_id" DefaultValue="Proxyapplicationid" />
<InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="identityid" />
</InputClaims>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
<ClaimsProvider>
<DisplayName>Token Issuer</DisplayName>
<TechnicalProfiles>
<!-- SAML Token Issuer technical profile -->
<TechnicalProfile Id="Saml2AssertionIssuer">
<DisplayName>Token Issuer</DisplayName>
<Protocol Name="SAML2" />
<OutputTokenFormat>SAML2</OutputTokenFormat>
<Metadata>
<Item Key="IssuerUri">testauth</Item>
</Metadata>
<CryptographicKeys>
<Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_testSAMLCert" />
<Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_testSAMLCert" />
</CryptographicKeys>
<InputClaims />
<OutputClaims />
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-issuer" />
</TechnicalProfile>
<!-- Session management technical profile for SAML-based tokens -->
<TechnicalProfile Id="SM-Saml-issuer">
<DisplayName>Session Management Provider</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
</TechnicalProfile>
<TechnicalProfile Id="REST-AcquireAccessTokenForGraph">
<DisplayName>Acquire Token</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl">https://login.microsoftonline.com/testingorganization.onmicrosoft.com/oauth2/v2.0/token</Item>
<Item Key="AuthenticationType">Basic</Item>
<Item Key="SendClaimsIn">Form</Item>
</Metadata>
<CryptographicKeys>
<Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_MSGraphClientId" />
<Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_MSGraphClientSecret" />
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="client_credentials" AlwaysUseDefaultValue="true" />
<InputClaim ClaimTypeReferenceId="scope" DefaultValue="https://graph.microsoft.com/.default" AlwaysUseDefaultValue="true" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="bearerToken" PartnerClaimType="access_token" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
<!-- Call Microsoft Graph API to get group claims-->
</TechnicalProfiles>
</ClaimsProvider>
</ClaimsProviders>
<!--UserJourneys>
</UserJourneys-->
</TrustFrameworkPolicy>
2
Answers
only issue was my CryptographicKeys are expired.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api?tabs=windows&pivots=b2c-custom-policy
Refer to the example in the docs.
It is much simpler than what you have.
Can you log in as a user with that username and password? i.e. are the credentials correct?
For your input claims, are you using "client_credentials" as an input parameter or as a flow?
This is not how you invoke a client credentials flow.