Azure B2C Custom Policies: Invalid Request, client secret error

1
votes

I have an Azure B2C Custom Policy to sign up. And when I try to get a refresh token I receive this error:

{"error":"invalid_request","error_description":"AADB2C90079: Clients must send a client_secret when redeeming a confidential grant.\r\nCorrelation ID: 776e4226-467b-4648-b7f7-a9c09715fd68\r\nTimestamp: 2017-10-31 21:12:56Z\r\n"}

I'm logging in using this url:

https://login.microsoftonline.com/<MyTenant>.onmicrosoft.com/oauth2/authorize?
p=B2C_1A_signup_signin
&client_id=<MyB2CAppID>
&nonce=defaultNonce
&redirect_uri=http%3A%2F%2Flocalhost%3A4200
&scope=openid+offline_access
&response_type=code
&prompt=login

With the code obtained from the previous url I try to get the access token with this url: 

https://login.<MyTenant>.com/exob2ctest.onmicrosoft.com/oauth2/v2.0/token?
p=B2C_1A_signup_signin
&grant_type=authorization_code
&client_id=<MyB2CAppID>
&redirect_uri=urn:ietf:wg:oauth:2.0:oo
&code=<MyCode>
&scope=openid%20offline_access
&client_secret=<MyB2CAppSecret>

After that I'm receiving the error. I'm using on the client_secret parameter the key generated on the B2C application referenced in client_id. When I tried this with buildt-in policies I get the refresh token without problems. Could it be something missing on my custom policies?

Thanks in advance!

1
azureazure-ad-b2c
Did you try to download your Built-In policy and review it? Sometimes it gives you some hints.spottedmahn
Can you confirm that you are sending the request to /token as a POST request with everything except the p=B2C_1A_signup_signin as the x-www-form-urlencoded body?Saca
Also, to make sure there is no difference in the requests, you can capture both requests in fiddler (with built in and custom policies) and compare to see if there is any difference.Omer Iqbal
Thanks! using the policy on the url and the rest of the parameters in the x-www-form-urlencoded body solved it.Germán Svriz
Glad to hear that, can you upvote the answer and flag the question as answered please?Saca

1 Answers

2
votes

You need to send your request to the /token endpoint as a POST request with the policy parameter as a query string parameter and the rest in the the x-www-form-urlencoded body.