{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 相关推荐>> 的问题《Calling /token endpoint does not give me an access》','https://www.manongdao.com/q-918581.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Following the guide here: Web sign-in with OpenID Connect -> Get A Token.
I'm trying to make a post request to access a token,
HTTP POST: url: https://login.microsoftonline.com/[az-directory].onmicrosoft.com/oauth2/v2.0/token?p=B2C_1_SiUpIn
Post Body:
client_id: [client_id for Azure Function App]
grant_type: authorization_code
scope: https://[url-to-azure-app-api-endpoint] openid offline_access
code: [code retrieved from login url]
redirect_uri: http://[redirect-uri-used-in-login]
client_secret: [secret client id in azure functions]
My response is:
{
id_token:...
token_type:...
not_before:...
id_token_expires_in:...
profile_info:...
refresh_token:....
refresh_token_expires_in:...
}
None of the request body is an access_token despite the link saying that's what I would get.
I'm not sure how to proceed from here, is it possible I'm missing some sort of permission between my Azure AD B2C app and the Functions App it's meant to secure?
edit: upon further investigation I found the following:
The login url you use affects what the resulting code token you get can do (makes sense), I'm trying something like:
https://login.microsoftonline.com/[ad directory name].onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_B2C&client_id=[client_id]&nonce=defaultNonce&redirect_uri=http://localhost:3000&scope=https://[api uri] openid offline_access&response_type=code+id_token&prompt=login
With the resulting code if I make a post request to the token endoint as described above I get a refresh token and an ID token.
However I also found that I don't need to send all the post parameters per the link, I get away with just passing grant_type, code and client_secret. Since the login call seems to actually control the scope of what you can access with the authorization code it returns this sort of makes sense but I'm not sure why the link above says you need to pass client_id, scope and redirect_uri.
I can use the id token from this post request as an authorization bearer token to pass into my azure functions app and I can use the refresh token to call into the refresh token endpoint to refresh the id token which I can grab from the result and continue to use in my azure functions app.
So my question becomes: Is this acceptable? Why are my findings so much different to what the link above says should be possible? Do I need an access token at all anymore?
About the first part of your question :
Personally I can connect to Azure AD and I can even connect to Azure B2C if I do not use a policy. But if I use a policy then I do not get the access_token.
According to the azure b2c documentation, we can use the openid connect protocol in order to connect to azure.
And in the successfull token response part of specification it's said :
So I think you are not missing something but in my point of view because there is no acccess_token in the Azure B2C response we can say that Azure B2C is not openid connect compliant.
Now, I think that it should be possible to use a work arround in adding a specific scope to the "openid" scope in order to have an access_token like it's suggested by the azure documentation :
Azure documentation on AD v2.0 limitations :
Azure documentation on tokens:
The Azure AD B2C: Call an ASP.NET Web API from an ASP.NET Web App sample provides a step-by-guide guide to: