I have setup a azure ad b2c service to sign up/ sign in my users and have used third party identity providers google and microsoft. After successful logging in, I get idp_access_token back from b2c service. Can I use this token to directly connect to google and microsoft api as azure docs mention, this token is issued by identity providers and returned as claims by b2c service. But the idp_access_token doesn't seem to be a valid access token and no claims are included in it.
To get a valid "idp_access_token", please check if you have to set "v2.0" in the metaurl of the OpenId Identity Provider Configuration:
https://xxx.b2clogin.com/xxxx.onmicrosoft.com/v2.0/.well-known/openid-configuration
We maynot be able to edit metadeta url of already created one .So try create new one with "v2.0" in metaurl.
When a user signs with identity provider, like google or Facebook, your app gets the identity provider's access token passed in Azure AD B2C token.This idp_access_token can be used call the identity provider’s API, such as the Facebook Graph API i.e;Usually the embedded IdP access token is used to call the services that the IdP hosts. For details see Pass an access token through a user flow to your application in Azure Active Directory B2C.
Reference: techcommunity.microsoft.com blog
Note :
- Azure AD B2C supports passing the access token of
OAuth 2.0 identity providers, which include Facebook and Google.For all other identity providers, the claim is returned blank.- Even if idp_access_token claim is a valid JWT, it cannot be used to access Microsoft Graph or other additional scopes. As usually the embedded IdP access token is used to call the services that the IdP hosts. But Microsoft Graph data is hosted in Azure AD and not in Microsoft Account side.
You can check this microsoft document to Set up sign-up and sign-in with a Facebook account using Azure Active Directory B2C or with a Google account using Azure Active Directory B2C
References: