Adventures with Azure AD B2C: Postman, Bearer Tokens and Scope

I am trying to get a Bearer token from Azure AD B2C using Postman.

I setup my Azure AD B2C tenant as described in Authentication in web APIs with Azure Active Directory B2C in ASP.NET Core.

I opened up Postman to test getting a Bearer Token.

After I logged in, I would get an invalid_request error, with the following error message:

This application does not have sufficient permissions against this web resource to perform the operation.

The issue was with scope and I was declaring it.

According to the documentation, the syntax for your scope declaration was https://{tenant domain name}/{api}/user_impersonation openid offline_access.

Needless to say, I completely interpreted that INCORRECTLY, which was the underlying issue with my call.

Couple of things helped me finally resolve this issue.

One, I reread the documentation.

In the Notes section for Scope it reads:

Replace {tenant domain name} with the tenant’s domain name. Replace {api} with the App ID URI you gave the web API when you first registered it (in this case, api). The pattern for the URL is: https://{tenant}.onmicrosoft.com/{api-id-uri}/{scope name}.

Two, I navigated to the the Published Scopes for the application, and saw the Full Scope Value.

I tweaked my Scope to reflect the Full Scope Value, and what do you know, everything worked!

Valuable lesson learned, READ, I MEAN REALLY READ, THE DOCUMENTATION.

Leave a Reply

Your email address will not be published.