我正在使用Azure B2C中的客户端凭据流设置应用程序。当我通过Azure Portal创建应用程序时，我可以为其分配一个密钥和API权限，然后调用令牌端点来检索访问令牌。但是，当我通过Graph API创建应用程序并分配相同的权限和密钥时，它返回以下错误：

{
    "error": "invalid_grant",
    "error_description": "AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again.\r\nCorrelation ID: a73a0250-9ee7-4cde-9754-715460bc5fe6\r\nTimestamp: 2023-07-18 20:10:01Z\r\n"
}

字符串
除了GUID和名称不同之外，这两个应用程序具有相同的清单。我还通过API检查了服务主体，除了GUID和名称之外，它们看起来都是一样的。通过单击门户的API权限窗格中的“授予{租户}的管理员许可”按钮，已授予两个应用程序的权限的管理员许可。我发现早期的stackoverflow帖子指出，由Graph API创建的应用程序不符合B2C集成的条件，但根据这里的文档，情况似乎不再如此：https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-operations#applications
下面是我通过Graph API创建应用程序的步骤：

POST /v1.0/applications HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer {token from graph API application}
Content-Type: application/json
Content-Length: 29

{
    "displayName": "test2"
}

型
这将在Azure门户的“应用程序注册”窗格中的“所有应用程序”选项卡下创建应用程序注册。以下是创建的应用程序的清单：

{
    "id": "{id}",
    "acceptMappedClaims": null,
    "accessTokenAcceptedVersion": 2,
    "addIns": [],
    "allowPublicClient": null,
    "appId": "{appId}",
    "appRoles": [],
    "oauth2AllowUrlPathMatching": false,
    "createdDateTime": "2023-07-18T19:35:48Z",
    "description": null,
    "certification": null,
    "disabledByMicrosoftStatus": null,
    "groupMembershipClaims": null,
    "identifierUris": [],
    "informationalUrls": {
        "termsOfService": null,
        "support": null,
        "privacy": null,
        "marketing": null
    },
    "keyCredentials": [],
    "knownClientApplications": [],
    "logoUrl": null,
    "logoutUrl": null,
    "name": "test2",
    "notes": null,
    "oauth2AllowIdTokenImplicitFlow": false,
    "oauth2AllowImplicitFlow": false,
    "oauth2Permissions": [],
    "oauth2RequirePostResponse": false,
    "optionalClaims": null,
    "orgRestrictions": [],
    "parentalControlSettings": {
        "countriesBlockedForMinors": [],
        "legalAgeGroupRule": "Allow"
    },
    "passwordCredentials": [
        {
            "customKeyIdentifier": null,
            "endDate": "2024-01-14T21:05:11.199Z",
            "keyId": "{keyId}",
            "startDate": "2023-07-18T20:05:11.199Z",
            "value": null,
            "createdOn": "2023-07-18T20:05:14.7198454Z",
            "hint": "rLR",
            "displayName": "clientSecret"
        }
    ],
    "preAuthorizedApplications": [],
    "publisherDomain": "{tenent}",
    "replyUrlsWithType": [],
    "requiredResourceAccess": [
        {
            "resourceAppId": "{API app ID}",
            "resourceAccess": [
                // records in here for api permissions that match those of the application I create through the portal
            ]
        },
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "7427e0e9-2fba-42fe-b0c0-848c9e6a8182",
                    "type": "Scope"
                },
                {
                    "id": "37f7f235-527c-4136-accd-4a02d197296e",
                    "type": "Scope"
                }
            ]
        }
    ],
    "samlMetadataUrl": null,
    "signInUrl": null,
    "signInAudience": "AzureADandPersonalMicrosoftAccount",
    "tags": [],
    "tokenEncryptionKeyId": null
}

型
我还通过下面的端点通过API创建了密钥，在其他测试中，在应用程序注册到上面的调用后，还通过门户添加了该密钥。两条路都没有区别。

POST /v1.0/applications/0a9334c7-6312-4912-86d4-31d8458cf9f6/addPassword HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer {token from Graph API}
Content-Type: application/json
Content-Length: 80

{
    "passwordCredential": {
        "displayName" : "clientSecret"
    }
}

型
当我进行调用以获取令牌时，在门户中创建的应用程序工作，并且由API创建的应用程序返回invalid_grant错误。以下是我如何打这个电话：

POST /{tenant}.onmicrosoft.com/{custom policy}/oauth2/v2.0/token?client_id={client_id}&grant_type=client_credentials&scope=https://{tenant}.onmicrosoft.com/{application id URI slug}/.default&client_secret={client_secret} HTTP/1.1
Host: devcloud9fx.b2clogin.com

型
当在postman中调用这个函数时，我唯一改变的是client_id和secret。