Resource Owner Password Credentials flow not working in Azure AD B2C

Question

Was trying to utilize ROPC (Resource Owner Password Credentials) flow to login in through Azure AD B2C.

Followed this documentation: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-custom-policy

The only doubt I had was in Step 4 - whether ValidTokenIssuerPrefixes is supposed to be https://sts.windows.net/ anyways I tried the custom policy without changing this value.

After running the custom policy and making a REST request as below:

POST /<tenant-name>.onmicrosoft.com/B2C_1A_ROPC_Auth/oauth2/v2.0/token HTTP/1.1
Host: <tenant-name>.b2clogin.com
Content-Type: application/x-www-form-urlencoded

username=contosouser.outlook.com.ws&password=Passxword1&grant_type=password&scope=openid+bef22d56-552f-4a5b-b90a-1988a7d634ce+offline_access&client_id=bef22d56-552f-4a5b-b90a-1988a7d634ce&response_type=token+id_token

I get the following 500 error response:

OData error

Answer 1

Similar Issue here, configured ROPC per the docs and cannot get a login to work properly, for me it returns an error that the username and password is incorrect, however the username/pass is indeed correct, because when I use the ropc user flow created via the ui, same api call username/pass client id etc all the same works fine. Also stuck here as well.

Was hoping if we could use the user flow ropc, but it does not appear that api connectors are supported via the user flow ropc which is disappointing.

Edit

ending up figuring this one out, for anyone looking for the same:

The documentation is correct what I was missing was this section

the 2 values ProxyIdentityExperienceFrameworkAppId IdentityExperienceFrameworkAppId

Need to be updated with user specific values from my b2c instance. Once I swapped those names for the actual app ids for those, everything worked as expected