3

I have a requirement to provide API to our consumers. The intention is to secure the API using AzureAD B2C - Client Credential Grant flow.

I have created a custom policy on B2C tenant that provides the access token. Things work fine with the clientId and Secret authentication method.

I now want to secure the OAuth2 conversation further by allowing the client to use the signed client_assertion as opposed to static client secret using their protected key. I have uploaded the public portion of the key into the relevant app registration.

Unfortunately, consuming the /token endpoint with the signed client_assertion results in an error. REQUEST https://tenant.b2clogin.com/tenant.onmicrosoft.com/b2c_1a_demo_clientcredentialsflow/oauth2/v2.0/token grant_type=client_credentials&scope=https%3A%2F%2Fapi%2F.default&client_id=d5339984-e6c7-457a-9ef9-21fb6e3e6c59&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJhbGciOiJo

RESPONSE HTTP/1.1 400 Bad Request {"error":"invalid_request","error_description":"AADB2C99027: Policy 'B2C_1A_Demo_ClientCredentialsFlow' does not contain a AuthorizationTechnicalProfile with a corresponding ClientAssertionType.\r\nCorrelation ID: 5eb76fa5-c919-4877-a722-0d38408e18c6\r\nTimestamp: 2023-01-19 07:38:25Z\r\n"}

Can someone please tell me if B2C is intended to support client assertions? Metadata JSON on the policy returns only the following two authentication methods:

"token_endpoint_auth_methods_supported": [ "client_secret_post", "client_secret_basic" ]

Is it possible to include private_key_jwt as a supported authentication method using custom policy configuration? Is it possible to configure the AuthorizationTechnicalProfile for the policy with a corresponding ClientAssertionType?

I hope that I have explained the problem well enough.

I have tried various strategies, incluling the use of AAD token endpoint, login.microsoftonline.com with the B2C tenant Id. Using that endpoint, the custom policy on B2C is completely ignored, therefore generating a vanilla token with none of my curated claims.

app arch
  • 63
  • 3
  • Also, https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-developer-notes#oauth-20-application-authorization-flows says that the Azure AD B2C client credentials flow is currently in preview. Does anyone know when this feature will be available in General Availability mode? – app arch Jan 23 '23 at 03:32

1 Answers1

0

TLDR: As of June 2022, Azure AD B2C does not support client assertions.

This issue on Github asks for documentation for error number AADB2C99027. In the course of the discussion, a member of the team states

Unfortunately, we decommissioned client_assertion flow because it didn't follow OIDC spec – So we shouldn't be documenting the error.

From that, I take that there are no plans to support client_assertion flow.

Markus
  • 20,838
  • 4
  • 31
  • 55