How to Get and Validate User Tokens Issued by Azure AD B2C via Java

Along the process of OAuth 2.0 the users obtain their access token, which is normally a JWT, after login from the authentication server, in order to access the resources. In most cases, Azure AD B2C provides a login page where the users can input their username and password. As soon as the users input the valid credentials, Azure AD B2C will issue JWT to the web app and redirect back to the corresponding page. Then the following requests sent by the web app can contain the JWT in the authorization header.

However, sometimes there are use cases which need only partial credentials or even do not need user interaction for login. For these cases, the login page provided by Azure AD B2C cannot fulfill the need. It can, maybe only, be solved by the so-called ROPC (Resource Owner Password Credentials) grant. On the web page “Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials”, it is depicted as the following screenshot:

It is not a preferred way by Microsoft and the following screenshot shows the warning:

OK, I get it. But my scenario might not belong to the “most scenarios”. Let me show you how I have done, in order to get the access token for my need via Java as client back end, which I highly trust, via Spring Boot and Java 11.

As a precondition, I have already created the Azure AD B2C tenant and users there. For example, you can see my another blog “How to Create User in Azure AD B2C by using Microsoft Graph and Java”.

Firstly, the pom.xml:

Secondly, the DTO class for the response from AD B2C. In fact, the response provides more fields such as refresh_token etc. For sake of simplifying, I only require id_token and access_token.

Fourthly, the service class:

Fifthly, the DTO class for POST request:

Sixth, the controller class:

Now, eventually I could send a request to obtain the user access token:

With this solution I can build my own login page by using Angular, React, Vue, Flutter or whatever, as long as it sends the REST requests which contains “username” and “password” to obtain the id_token or access_token for later access on the other web APIs which validate this JWT.

Extra to token validation:

Please note:

1. The tokens are not issued by any policies (flows) of the AD B2C. If you want to validate it, the validation URL shall not contain the policy, either. So it shall look like: https://login.microsoftonline.com/<tenant-id>/.well-known/openid-configuration?appid=<application(client)-id>, see “Microsoft identity platform access tokens”.
2. The ID token can be validated as the example “Spring Boot Security with Azure AD B2C Using Azure B2C to secure Restful APIs (Part II)”
3. When using Azure API Management to validate the ID token, add “validate-jwt” policy into the API Management configuration, please:

Pay attentions please, the openid configuration URL shall include “v2.0”, which is not required in Java.

The complete code example can be found in the GitHub repository.

References:

[1] https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc?WT.mc_id=AZ-MVP-5003203

[2] https://docs.microsoft.com/en-us/azure/active-directory-b2c/tokens-overview

[3] https://docs.microsoft.com/en-us/azure/active-directory-b2c/openid-connect#get-a-token

[4] https://docs.microsoft.com/en-us/azure/active-directory-b2c/implicit-flow-single-page-application

[5] https://docs.microsoft.com/en-us/azure/active-directory-b2c/access-tokens

[6] https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-overview

[7] https://stackoverflow.com/questions/47051521/azure-ad-b2c-password-expiration

[8] https://stackoverflow.com/questions/40574892/how-to-send-post-request-with-x-www-form-urlencoded-body

[9] https://siweheee.medium.com/how-to-create-user-in-azure-ad-b2c-by-using-microsoft-graph-and-java-4ac3e18b298e

[10] https://stackoverflow.com/questions/57703697/jwt-validation-failure-error-in-azure-apim