Following the guide here: Web sign-in with OpenID Connect -> Get A Token.

I'm trying to make a post request to access a token,

HTTP POST: url: https://login.microsoftonline.com/[az-directory].onmicrosoft.com/oauth2/v2.0/token?p=B2C_1_SiUpIn

Post Body:

client_id: [client_id for Azure Function App]

grant_type: authorization_code

scope: https://[url-to-azure-app-api-endpoint] openid offline_access

code: [code retrieved from login url]

redirect_uri: http://[redirect-uri-used-in-login]

client_secret: [secret client id in azure functions]

My response is:

{
   id_token:...
   token_type:...
   not_before:...
   id_token_expires_in:...
   profile_info:...
   refresh_token:....
   refresh_token_expires_in:...
}

None of the request body is an access_token despite the link saying that's what I would get.

I'm not sure how to proceed from here, is it possible I'm missing some sort of permission between my Azure AD B2C app and the Functions App it's meant to secure?

edit: upon further investigation I found the following:

The login url you use affects what the resulting code token you get can do (makes sense), I'm trying something like:

https://login.microsoftonline.com/[ad directory name].onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_B2C&client_id=[client_id]&nonce=defaultNonce&redirect_uri=http://localhost:3000&scope=https://[api uri] openid offline_access&response_type=code+id_token&prompt=login

With the resulting code if I make a post request to the token endoint as described above I get a refresh token and an ID token.

However I also found that I don't need to send all the post parameters per the link, I get away with just passing grant_type, code and client_secret. Since the login call seems to actually control the scope of what you can access with the authorization code it returns this sort of makes sense but I'm not sure why the link above says you need to pass client_id, scope and redirect_uri.

I can use the id token from this post request as an authorization bearer token to pass into my azure functions app and I can use the refresh token to call into the refresh token endpoint to refresh the id token which I can grab from the result and continue to use in my azure functions app.

So my question becomes: Is this acceptable? Why are my findings so much different to what the link above says should be possible? Do I need an access token at all anymore?

The Azure AD B2C: Call an ASP.NET Web API from an ASP.NET Web App sample provides a step-by-guide guide to:

1. Registering the web app and the web API with Azure AD B2C.
2. Permitting access by the web app to the web API in Azure AD B2C.
3. Configuring the web app and the web API with the required settings.
4. Acquiring an access token by the web app for use with the web API.

About the first part of your question :

I'm not sure how to proceed from here, is it possible I'm missing some sort of permission between my Azure AD B2C app and the Functions App it's meant to secure?

Personally I can connect to Azure AD and I can even connect to Azure B2C if I do not use a policy. But if I use a policy then I do not get the access_token.

According to the azure b2c documentation, we can use the openid connect protocol in order to connect to azure.

And in the successfull token response part of specification it's said :

After receiving and validating a valid and authorized Token Request from the Client, the Authorization Server returns a successful response that includes an ID Token and an Access Token.

So I think you are not missing something but in my point of view because there is no acccess_token in the Azure B2C response we can say that Azure B2C is not openid connect compliant.

Now, I think that it should be possible to use a work arround in adding a specific scope to the "openid" scope in order to have an access_token like it's suggested by the azure documentation :

Azure documentation on AD v2.0 limitations :

The OpenID Connect UserInfo endpoint is not implemented on the v2.0 endpoint. However, all user profile data that you potentially would receive at this endpoint is available from the Microsoft Graph /me endpoint.

Azure documentation on tokens:

The v2.0 endpoint allows third party apps that are registered with Azure AD to issue access tokens for secured resources such as Web APIs. For more information about setting up an application to issue access tokens, please see How to register an app with the v2.0 endpoint. Upon registering the application with the v2.0 endpoint, the developer can specify levels of access, called scopes, for which access tokens may be issued. For example, the calendars.read scope defined in the Microsoft Graph API grants permission to read the user's calendar.