Non-interactive authentication and authorization in ADB2C

Question

Is it possible for AD B2C to be utilized for non-interactive authentication. ie I want to pass-in a username (email-id)/password and be authenticated into application (not API backend but a web application bypassing a login flow - basically auto-login that user interaction with a user/passwords and redirect to a resource)

I have used ROPC for backend API could that be utilized or is there any other way.

Can we get access and id token from a call similar to :

 https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/authorize?
client_id=<application-ID>
&nonce=anyRandomValue
&redirect_uri=https://jwt.ms
&scope=<application-ID-URI>/<scope-name>
&response_type=code

without the interactive flow and providing a redirectURL.

Thanks

Answer 1

Yes, you can use the same flow for web application too in getting access and id tokens non-interactively.

I tried to reproduce the same in my environment and got below results:

I registered one web application in my B2C tenant and added Redirect URI in Web platform like below:

In Manifest, make sure to enable implicit flow like below:

I exposed one API and granted that API permission to WebApp like below:

Now, I created one resource owner user flow as below:

I got both access and id tokens successfully via Postman with below parameters:

POST https://b2ctenantname.b2clogin.com/b2ctenantname.onmicrosoft.com/<ROPC_policyname>/oauth2/v2.0/token
client_id:<App_ID>
redirect_uri: https://jwt.ms
grant_type:password
username: <UPN_of_B2C user> 
password:xxxxxxxxxxxx
scope:openid https://b2ctenantname.onmicrosoft.com/appID/Custom.Scope
response_type:token id_token

Response:

When I decoded the above access token, I got scp claim successfully with custom scope as below: