Azure B2C token scope permission issue

Question

When I try to get a token with a scope inside it then I get a This application does not have sufficient permissions against this web resource to perform the operation error.

Failing call:
https://xx.b2clogin.com/xx.onmicrosoft.com/oauth2/v2.0/authorize?p=somepolicy&client_id=xx-xx&redirect_uri=https://localhost:7223/&scope=https://xx.onmicrosoft.com/xx-xx/Some.Scope&response_type=token

I can call it with the openid scope but then there are no scopes in the token. As I understand you need to set the response_type=token and scope to the actual scope of your api.

Working call but no scopes
https://xx.b2clogin.com/xx.onmicrosoft.com/oauth2/v2.0/authorize?p=somepolicy&client_id=xx-xx&redirect_uri=https://localhost:7223/&scope=openid&response_type=id_token

I've alreay added the API to the permissions of the client and granted admin consent so that can't be the issue.

What am I doing wrong here? Or is it maybe not possible to use scopes with a B2C token?

Answer 1

I have tried in my environment, and I got the token successfully.

To resolve the error, please check the below steps:

In my case, I added a scope named “newscope” and then granted API permissions like below:

Go to Azure portal -> Azure AD B2C -> App registrations ->Your application -> Expose an API -> Add Scope

To get token, try with below URL:

https://xxxxx.b2clogin.com/xxxxx.onmicrosoft.com/oauth2/v2.0/authorize?p=somepolicy&client_id=your_app_id&nonce=defaultnonce&redirect_uri=https://jwt.io&scope=openid profile offline_access&response_type=token&prompt=login 

With the above authorization URL, I got the token like below that displayed the scopes successfully after decoding.

• Please make sure to add additional scope like profile, offline_access along with open_id.

• Here I have given response_type=token instead of id_token

• In Authentication blade, make sure to check mark both access token and id token.

• If still something goes wrong, try with lower case scopes.