Do I need custom scope for B2C SSO app registration?

Question

I am able to get access token from B2C only if I define a custom scope for app registration (Expose an API section), see below:

I can't understand why I need it. So, it make sense to grant permissions for Microsoft Graph. Every time user allows MY APP to act on behalf of him (in my case during SSO login), MY APP can read user profile and B2C can return users info like email in b2c token.

If I omit custom scope, and will use something like openid, I will get next error

AADB2C90055: The scope 'openid' provided in request must specify a resource, such as 'https://example.com/calendar.read'.

Answer 1

I created an Azure AD B2C application and granted API permissions:

When I pass scope as openid, access token dint not get generated:

https://b2caadtenant.b2clogin.com/b2caadtenant.onmicrosoft.com/B2C_1_SUSI/oauth2/v2.0/token

client_id:ClientID
scope:openid
grant_type:authorization_code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
code:code

Note that: By default, Azure AD B2C automatically returns the access token unless you explicitly request permission to one of your custom APIs and hence custom scope must be passed to generate access token.

When I pass scope with custom API, access token generated like below:

scope: https://b2caadtenant.onmicrosoft.com/xxx/user_impersionation openid

References:

Azure B2C login with Cypress oauth 2.0 - {tenant}.b2clogin.com - Stack Overflow by Sridevi

Error code reference - Azure AD B2C