Calling web api from SPA giving error: Azure AD b2c

Question

Here is my aim: I would like to get an access token to call web api from my Spa application.

I created 2 azure b2c applications; one for web api and other for spa application(client).

I added scopes(api.read) by exposing api in web api application. I granted permission to these scopes from spa application.

I created one userflow with Sign up and sign in policy.

To generate the token, I used PKCE flow by getting auth code.

POST https://tenant.b2clogin.com/tenant.onmicrosoft.com/policy/oauth2/v2.0/token

grant_type: authorization_code

client_id: api_appid

scope: https://tenant.onmicrosoft.com/web_api/api.read

redirect_uri: https://localhost:435

code:

code_verifier:

The thing is I get the token but while calling the web api, it's giving error like:

Either scp or roles claim need to be present in the token

What could be the problem?

Answer 1

I tried to reproduce the same in my environment and got below results:  

I registered one Azure AD B2C application for Web API and added scopes as below:

Now I created one SPA registration and added API permissions by granting consent like this:

I created Sign up and sign in policy and ran the user flow as below:

When I signed-in as a user it gave me auth-code in address bar like below:

I generated the access token via Postman with parameters like this:

POST  https://tenant.b2clogin.com/tenant.onmicrosoft.com/policy/oauth2/v2.0/token

grant_type: authorization_code
client_id: SPA_appid
scope:  https://tenant.onmicrosoft.com/web_api/api.read
redirect_uri: redirect_uri
code: code
code_verifier: code_verifier

When I decoded the token, I got the scp claim successfully like below:

Make sure to select Application as SPA App and resource as Web_api while running the user flow to get auth code.

While generating access token, you should give SPA_AppId in client_id parameter.