Setting Azure AD B2C Authentication in Postman
Azure AD B2C has been so far good, mostly because of the 50k free user authentication 😇, also it just works. The problem I had using B2C with backend was acquiring and testing tokens in development.
Yes, Azure AD B2C has Resource Owner Password Credential (ROPC) flow that allows you to get tokens by just posting your username and password, but they don’t recommend it. Though, I have been using that locally to get the tokens.
With the new update of Postman (version 8+), it’s easy to set OAuth 2.0 based authentication.
So, let’s set it up.
Note: This article assumes that you have basic knowledge about OAuth 2.0 and Azure AD B2C
Before we get the tokens, we should tell Azure AD B2C that we want to authenticate using Authorisation code flow with Proof Key for Code Exchanged (PKCE).
At the time of writing this article, Azure AD B2C supports the following platforms:
- Web applications
- Single-page application
- Mobile and desktop application
- Mobile and desktop application
For web applications you need client security code because as far as I have tested it, it doesn’t work with PKCE. I chose - Mobile and desktop application - because Postman is a desktop application. Let’s add a platform first:
- In Azure AD B2C directory, select -
App registrations- from the left menu
Owned applicationstab, select your application.
- From the left menu, under
- Under - Platform configurations - click on
Add a platform. This should open a drawer from right.select the - Mobile and desktop applications.
- According to their documentation, the callback URL should be -
https://oauth.pstmn.io/v1/callback, add that and click
Configure.This will create the appropriate platform.
- Also, in the same page, under
Implicit grant and hybrid flows, make sure
ID tokensare ticked.
At this point make sure you know your endpoints for -
token, mine is:
- Authorize - https://gollahalliauth.b2clogin.com/gollahalliauth.onmicrosoft.com/B2C_1_SignUpSignInFlow/oauth2/v2.0/authorize
- Token - https://gollahalliauth.b2clogin.com/gollahalliauth.onmicrosoft.com/B2C_1_SignUpSignInFlow/oauth2/v2.0/token
Let’s setup OAuth 2.0:
Go to collection setting, click on
Authorization tab, and do the following:
|Type||OAuth 2.0||Type of authentication|
|Add auth data to||Request Header||Once an |
|Type Name||Azure AD B2C Authentication||This is up to you|
|Grant Type||Authorization Code (With PKCE)|
|Callback URL||https://oauth.pstmn.io/v1/callback||This cannot be edited|
|Authorize using browser||Tick|
|Access Token URL||https://gollahalliauth.b2clogin.com/gollahalliauth.onmicrosoft.com/B2C_1_SignUpSignInFlow/oauth2/v2.0/token|
|Client ID||<your client ID>|
|Client Secret||This should be empty|
|Code Challenge Method||SHA-256|
|Code Verifier||This should be empty so that Postman can generate one for you|
|Scope||<custom scope> openid profile offline_access|
|Client Authentication||Send client credentials in body|
`<custom scope>` is the scope you have defined in your Azure AD B2C application. For example, I have defined two scopes - `user.read` and `user.write`, because these are custom you need to add them as a URL, in my case it is - `https://gollahalliauth.onmicrosoft.com/api/user.read https://gollahalliauth.onmicrosoft.com/api/user.write`. Custom scopes are defined in the `API Permissions` section of your Azure AD B2C application.
These steps should be similar to other OAuth providers. Do give it a try and let me know if there is a space for improvements. I hope this article helps you in your development.
- 01/10/2023 - Added additional information about custom scopes
- 25/08/2023 - Updated the article to reflect the change in authentication flow
- New callback URL added