Azure B2C ROPC token not valid for Microsoft Graph API (missing x5t claim)

Question

We've been following the guide Set up a resource owner password credentials flow in Azure Active Directory B2C to retrieve an access token from a user by username (email) / password. The request is successful and we get an valid response.

Decoded access-token

The issue we're having is when we're trying to use this access token to make a Graph API call, for instance creating another user in B2C.

Error response Graph API

The problem seems to be that Graph API requires a x5t claim which is not included in a v2 access-token (as far as we understand). However in the body of the jwt token it is stated that it's a v1 token, even though the header suggests a v2 and our app-registration manifest is specified to version 2.

Request to fetch access-token:

https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/B2C_1_ROPC_Auth/oauth2/v2.0/token

How can we use the access-token we recieve from B2C using the ROPC user flow in Graph API?

AAD B2C tokens cannot be used against MS Graph API, they are for your own API. I can garuntee the audience in your decoded access token is not “graph.Microsoft.com”. Graph API only accepts tokens issued by Azure AD endpoints. Describe what you’re trying to achieve overall. For reference: https://stackoverflow.com/a/62693315/8357357 — Jas Suri - MSFT, Apr 12 '21 at 16:52
@JasSuri-MSFT Our scenario is as follow: We are creating an application where user should be able to login with their email address and password that map to local accounts in a AD/B2C. It is essential that we have our own login page with no redirect to microsoft login. Some users can be admins that in turn can create other users in the Azure AD/B2C (from our application). When admins create this new user we only want to create a local account in the AD/B2C. To do this we need microsoft Graph. So how/what are we to use so our user/application can do the above? — xPadde, Apr 13 '21 at 10:03
My link explains it, use AAD documentation to access MS Graph against your AAD B2C directory. — Jas Suri - MSFT, Apr 13 '21 at 13:08

Carl Zhao · Answer 1 · 2021-04-13T02:53:41.457

1

What @Jas Suri said is right, MS Graph API only accepts tokens issued by Azure AD endpoints. Therefore, you should use the ROPC flow specific to Azure AD. The ROPC flow of Azure AD B2C is often used to obtain your custom api token instead of the MS Graph API token.

Parse the token：

Call ms graph api:

edited Apr 13 '21 at 02:53

answered Apr 13 '21 at 02:47

Carl Zhao

8,543
2
11
19

You should use client credentials instead. – Jas Suri - MSFT Apr 13 '21 at 13:09

score 0 · Answer 2 · answered Oct 09 '22 at 17:16

Need exactly the same but when I try to get token, it throws error saying

"AADSTS90036: An unexpected, non-retryable error stemming from the directory service has occurred.\r\nTrace ID: 370a1713-c5bc-4e97-b013-70cdcd453c01\r\nCorrelation ID: 3fcf1bfb-eee7-44eb-a38f-8e024455dfa0\r\nTimestamp: 2022-10-09 17:13:10Z"

Azure B2C ROPC token not valid for Microsoft Graph API (missing x5t claim)

2 Answers2