Request Access Token in Postman for Azure AD B2C

Using @Chris Padgett's answer, I was able to get it working using the Implicit Grant Type (couldn't get it working w/ Authorization Code Gran Type).

Grant Type: Implicit

Callback URL: any URL defined in my B2C app

Auth URL: https://{tenant}.b2clogin.com/te/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize

Client ID: Application ID from my B2C app

Scope: https://{tenant}.onmicrosoft.com/{web api app id uri}/{scope name}

Client Authentication: Either one, it didn't matter


Getting this setup was a bit of a headache. Here's what I stitched together from the answers in this thread, updated to take advantage of Postman's Grant Type: Authorization Code (With PKCE)

Credit also goes out to https://blogs.aaddevsup.xyz/2020/08/performing-azure-ad-oauth2-authorization-code-grant-flow-with-pkce-in-postman/ for the starting point.

Using: Azure B2C Tenant, JS SPA frontend, Azure Function backend.

Azure Portal (Azure AD B2C)

  • Setup for the SPA and backend is more or less as described in this MS document (Careful, some parts are out of date!) : https://docs.microsoft.com/en-us/azure/api-management/howto-protect-backend-frontend-azure-ad-b2c

  • @ SPA application registration > Authentication blade > Add this value to 'Single-page application Redirect URIs' https://oauth.pstmn.io/v1/callback

  • @ Azure AD B2C | App registrations, click on 'endpoints' (blue globe icon @ top)

  • Record Azure AD B2C OAuth 2.0 token endpoint (v2) and Azure AD B2c 2.0 authorization endpoint (v2)

Postman

  • Authorization: Oauth 2.0
  • Add auth data to: Request Headers

Configure New Token

  • Token Name: WhateverYouWant

  • Grant Type: Auth Code with PKCE

  • CallbackURL: https://oauth.pstmn.io/v1/callback

  • [ ] Authorize using browser (Unchecked)

  • Auth URL: https://< tenant-name >.b2clogin.com/< tenant-name >.onmicrosoft.com/< policy-name> /oauth2/v2.0/authorize

  • Access Token URL: https://< tenant-name >.b2clogin.com/< tenant-name >.onmicrosoft.com/< policy-name >/oauth2/v2.0/token

  • Client ID: < your-SPA-Application-ID-aka-client-ID >

  • Client Secret : < EMPTY >

  • Code Challenge Method: SHA-256

  • Code Verifier: < EMPTY >

  • State: < EMPTY >

  • Scope: something like < tenant name >.onmicrosoft.com/Hello

  • Client Authentication: Send client credentials in body

  • click [Clear cookies] and [Get New Access Token]


For the Auth URL field, you only have to enter the authorization endpoint URL without the query string parameters:

https://login.microsoftonline.com/te/{tenant}/{policy}/oauth2/v2.0/authorize

For the Access Token URL field:

https://login.microsoftonline.com/te/{tenant}/{policy}/oauth2/v2.0/token

For the Callback URL field, you must enter a reply URL that is registered with the Azure AD B2C application, such as:

https://www.getpostman.com/oauth2/callback

For the Scope field, enter "openid" as well as any API access scopes.

For the Client Authentication field, select "Send client credentials in body".


2020-05-26 UPDATE

Microsoft changed the login URL for Azure Active Directory B2C as you can see here.

So @spottedmahn answer has to be updated to:

Grant Type: Implicit

Callback URL: any URL defined in my B2C app

Auth URL: https://{tenant}.b2clogin.com/te/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize

Client ID: Application ID from my B2C app

Scope: https://{tenant}.onmicrosoft.com/{web api app id uri}/{scope name}

Client Authentication: Either one, it didn't matter

Tags:

Postman

Azure Ad B2C

Recent Posts