Request Access Token in Postman for Azure AD B2C

Using @Chris Padgett's answer, I was able to get it working using the Implicit Grant Type (couldn't get it working w/ Authorization Code Gran Type).

Grant Type: Implicit

Callback URL: any URL defined in my B2C app

Auth URL: https://login.microsoftonline.com/te/{tenant}/{policy}/oauth2/v2.0/authorize

Client ID: Application ID from my B2C app

Scope: https://{tenant}.onmicrosoft.com/{web api app id uri}/{scope name}

Client Authentication: Either one, it didn't matter

2020-05-26 UPDATE

Microsoft changed the login URL for Azure Active Directory B2C as you can see here.

So @spottedmahn answer has to be updated to:

Grant Type: Implicit

Callback URL: any URL defined in my B2C app

Auth URL: https://{tenant}.b2clogin.com/te/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize

Client ID: Application ID from my B2C app

Scope: https://{tenant}.onmicrosoft.com/{web api app id uri}/{scope name}

Client Authentication: Either one, it didn't matter

For the Auth URL field, you only have to enter the authorization endpoint URL without the query string parameters:

https://login.microsoftonline.com/te/{tenant}/{policy}/oauth2/v2.0/authorize

For the Access Token URL field:

https://login.microsoftonline.com/te/{tenant}/{policy}/oauth2/v2.0/token

For the Callback URL field, you must enter a reply URL that is registered with the Azure AD B2C application, such as:

https://www.getpostman.com/oauth2/callback

For the Scope field, enter "openid" as well as any API access scopes.

For the Client Authentication field, select "Send client credentials in body".

Getting this setup was a bit of a headache. Here's what I stitched together from the answers in this thread, updated to take advantage of Postman's Grant Type: Authorization Code (With PKCE)

Credit also goes out to https://blogs.aaddevsup.xyz/2020/08/performing-azure-ad-oauth2-authorization-code-grant-flow-with-pkce-in-postman/ for the starting point.

Using: Azure B2C Tenant, JS SPA frontend, Azure Function backend.

Azure Portal (Azure AD B2C)

• Setup for the SPA and backend is more or less as described in this MS document (Careful, some parts are out of date!) : https://docs.microsoft.com/en-us/azure/api-management/howto-protect-backend-frontend-azure-ad-b2c

• @ SPA application registration > Authentication blade > Add this value to 'Single-page application Redirect URIs' https://oauth.pstmn.io/v1/callback

• @ Azure AD B2C | App registrations, click on 'endpoints' (blue globe icon @ top)

• Record Azure AD B2C OAuth 2.0 token endpoint (v2) and Azure AD B2c 2.0 authorization endpoint (v2)

Postman

• Authorization: Oauth 2.0
• Add auth data to: Request Headers

Configure New Token

• Token Name: WhateverYouWant

• Grant Type: Auth Code with PKCE

• CallbackURL: https://oauth.pstmn.io/v1/callback

• [ ] Authorize using browser (Unchecked)

• Auth URL: https://< tenant-name >.b2clogin.com/< tenant-name >.onmicrosoft.com/< policy-name> /oauth2/v2.0/authorize

• Access Token URL: https://< tenant-name >.b2clogin.com/< tenant-name >.onmicrosoft.com/< policy-name >/oauth2/v2.0/token

• Client ID: < your-SPA-Application-ID-aka-client-ID >

• Client Secret : < EMPTY >

• Code Challenge Method: SHA-256

• Code Verifier: < EMPTY >

• State: < EMPTY >

• Scope: something like < tenant name >.onmicrosoft.com/Hello

• Client Authentication: Send client credentials in body

• click [Clear cookies] and [Get New Access Token]

I just want to add some extra information for prosperity since I have recently spent way too long trying to resolve an issue relating to the error AADB2C90085 and this question is one of the few results on Google.

Update

Following Chris's answer, I'm now past the above error. I'm able to sign-in but still can't get an access token:

AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again. Correlation ID: 45c56d47-4739-465f-8e02-49ba5b3a1b86 Timestamp: 2017-11-16 15:27:52Z

And:

Using @Chris Padgett's answer, I was able to get it working using the Implicit Grant Type (couldn't get it working w/ Authorization Code Gran Type).

I received this error when using authorization code flow because my B2C_1A_TokenSigningKeyContainer and B2C_1A_TokenEncryptionKeyContainer were incorrectly generated. Once I followed the guide at Get started with custom policies in Azure Active Directory B2C the error stopped occurring.

Relevant excerpt from the link:

Create the signing key

1. Select Policy Keys and then select Add.
2. For Options, choose Generate.
3. In Name, enter TokenSigningKeyContainer. The prefix B2C_1A_ might be added automatically.
4. For Key type, select RSA.
5. For Key usage, select Signature.
6. Click Create.

Create the encryption key

1. Select Policy Keys and then select Add.
2. For Options, choose Generate.
3. In Name, enter TokenEncryptionKeyContainer. The prefix B2C_1A_ might be added automatically.
4. For Key type, select RSA.
5. For Key usage, select Encryption.
6. Click Create.

I could get B2C Request Access Token in Postman working for both grant types: grant_type=implicit and as well grant_type=authorization_code. I've opened accordingly an issue regarding the MS documentation:

• Update documentation and mention that grant_type=authorization_code"is possible as well (see description): https://github.com/aspnet/Docs/issues/10336

The following changes were necessary:

The only differences between grant_type=implicit and grant_type=authorization_code are that grant_type=authorization_code needs some more parameters as follows:

• Access Token (access token request) URL: https://login.microsoftonline.com/"tenant-name".onmicrosoft.com/oauth2/v2.0/token?p=B2C_1_"name-of-your-signup-signin-flow"

• client_secret: generate a key for your application: Azure Portal -> Azure AD B2C -> Applications -> -> Keys -> Generate Key