Azure AD B2C ROPC user flow always returns HTTP 400 “Bad Request” (no JSON error)

Hi everyone,

I’m trying to test the ROPC flow in an Azure AD B2C tenant and I keep getting a plain HTTP 400 “Bad Request” response from the token endpoint, with no JSON error payload.

Here’s exactly what I’ve done:

1. Created a ROPC user flow
   • Azure AD B2C -> User flows -> “Sign in using resource owner password credentials (ROPC)”
   • Name: B2C_1_TEST_ROPC
   • Left all settings as default, no extra attributes or custom attributes.
   1. Created a public client app registration
   • Azure AD B2C -> App registrations -> New registration. Name: JIT ROPC TEST CLIENT

     Accounts in this organizational directory only.
     
        After creation, under **Authentication**, I turned on **Allow public client flows**.
     
           No redirect URIs configured.
     
              App (client) ID: `5a8bf2ae-e01d-405f-be6f-76bd22668490`.
     

2. Created a test local account user
   • Azure AD B2C -> Users -> New user -> Create user.
   UPN: ******@zappsecincAdB2C.onmicrosoft.com
   • Set an initial password
   Got the token endpoint from the user flow From the .well-known/openid-configuration for B2C_1_TEST_ROPC:

         "token_endpoint": "https://zappsecincadb2c.b2clogin.com/zappsecincadb2c.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_test_ropc"
   

3. Postman request

URL:

POST https://zappsecincadb2c.b2clogin.com/zappsecincadb2c.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_test_ropc

Headers:

Content-Type: application/x-www-form-urlencoded

• Body (x-www-form-urlencoded):

       grant_type=password 
       client_id=<JITROPCClientTest ID inserted in here> 
       scope=openid offline_access 
       username=******@zappsecincAdB2C.onmicrosoft.com 
       password=<correct password> 
  

1. Result

HTTP status code: 400 Bad Request

• Body: just the text “Bad Request” (HTML), no JSON error like AADB2C9xxx.

I also tried:

Using the tfp-style URL:

https://zappsecincadb2c.b2clogin.com/tfp/zappsecincadb2c.onmicrosoft.com/B2C_1_TEST_ROPC/oauth2/v2.0/token

Using the client_id as part of the scope (scope=openid offline_access 5a8bf2ae-e01d-405f-be6f-76bd22668490).

In all cases, I still get a plain 400 “Bad Request” without an AADB2C error code.

Questions:

Is there any additional configuration required to allow a B2C ROPC user flow to issue tokens to a public client app like this?

Are there known limitations or bugs with ROPC user flows in combination with the newer App registrations manifest schema?

1. Is it mandatory and reccomended to use a custom policy ROPC (e.g. B2C_1A_ROPC_Auth) instead of the ROPC user flow to make this scenario work?

I’ve reviewed the “add-ropc-policy” documentation and I see references to oauth2AllowImplicitFlow in the manifest, but that property doesn’t exist in my app registration manifest (I’m using the newer schema). I’m assuming that guidance applies to the older “Applications (legacy)” experience, but I wanted to confirm that as well.

Thanks in advance for any pointers. Happy to grab any other details that help.