I've hooked up Google OAuth to B2C, and it works great except that the consent screen shows "b2clogin.com" instead of "mydomain.com" like so:
Any way to fix this?
Related
I'm trying to set up a page with an Azure AD B2C Sign-Up and Sign-In User Flow, which will then automatically log in to Azure AD as part of the flow. Specifically, I'm trying to create a User Flow that will allow the user to sign in to Azure AD B2C, and automatically have them sign in to Power Apps as a consequence. I'm using the following document as a guide:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow
I've confirmed the pre-requisite part is working. On my Sign up and Sign In page, I'm able to create an account, and I'm able to log in with the account. However, when I log in, I am not being automatically logged in to the Azure AD account as I would expect.
I have a whole bunch of screenshots I've taken with obfuscated data, if they would help, but I think the piece of the puzzle that likely explains the problem is this one:
This seems pretty similar to how it is configured over on the other side of the equation:
However, there seems to be a key difference between the two. In the former case, I get a URL of the following format:
https://[B2CDOMAIN].b2clogin.com/[B2CDOMAIN].onmicrosoft.com/oauth2/v2.0/authorize?p=[B2CUserFlow]&[MORE QUERY STRING STUFF]
In the latter, my URL looks like this:
https://[B2CDOMAIN].b2clogin.com/[A GUID]/[B2CUserFlow]/oauth2/v2.0/authorize?[MUCH MORE QUERY STRING STUFF BUT NO p= ONE].
I don't know if this gives any indications, or if it's just a red herring. At the moment, I'm not getting any errors or anything - I'm simply not being signed in on the Azure AD side.
The default behaviour for this is that you have to select the AAD button to kick off the federation.
If you want to login automatically (no button click) you have to use custom policies.
So you login to your local account and then the policy takes you to AAD where you should be logged in as long as the custom policy is set up for SSO.
I've never done this for OIDC but I have for SAML and it works there.
I have an application registered in Azure which asks for user consent via oauth2 to read the user's calendar. I am trying to figure out how the user will go about revoking this permission. I believe this is done via myapps.microsoft.com. I do find my application listed here but when I click on it I get this error:
something went wrong... You cannot access this application because it
has been misconfigured. Contact your IT department and include the
following information: Undefined Sign-On URL for application "xxxxx"
In Azure App Registrations (legacy) there is an option for sign on URL but my application doesn't show up in search results on this screen. In Azure App registrations, the Sign On URL option seems to have been removed. Can someone guide me on how the user will remove consent in this situation?
If you add a Home Page URL under Branding in Azure App registrations, you'll at get rid of that particular error when browsing to your app in myapps.microsoft.com. Then, if the user has consented themselves, you'll be able to Remove the app permission when logged in to myapps.microsoft.com as them. However, if the app was consented by Admin, the user will not see the choice to remove the app permission.
Here's a linky with a better description with pictures.
I have a native app (Electron) where I have integrated Azure AD v2.0 Sign in experience. We have only enabled Microsoft Account based sign in for now.
Here's my sign in URL looks like:
const url = `https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=<my-application-id>&response_type=id_token&redirect_uri=${encodeURIComponent('urn:ietf:wg:oauth:2.0:oob')}&scope=openid%20profile%20email&response_mode=fragment&nonce=<some-random-value&state=<some-random-value>`;
Using this link, a user can sign in successfully. There're no issues there. However every time a user signs in, they are presented with a consent dialog after providing their credentials.
Based on my knowledge, if a user has consented to an app and there're no change in the permissions (rather scopes) asked by the app, then the user should not be prompted to consent again.
I'm wondering why this is happening. I even tried with appending prompt=login to the URL but that has no effect.
Is there another setting that I need to make? I looked at both the old portal (Microsoft Application Registration Portal) as well as new portal (App Registration (Preview) in Azure Portal) but could not find a setting that will disable the consent prompt on every sign in.
The behavior you are seeing is due to the fact that you are using a reply URL with a scheme that is not "http" or "https" ("urn", in your case). In this situation, Microsoft Accounts will ask the user to confirm the the delegated permissions the app is requesting, even if these permissions have been granted previously. This additional prompt helps make sure users know which app the app is identifying as.
In most native client app scenarios, this should not be a significant issue. It will add an extra step during the initial sign-in to the app, but after that, the app should be able to make use of the refresh token for most token acquisitions. (Occasionally, the app may need to trigger an interactive sign-in again, but this would be relatively rare.)
If you look very closely, you'll notice a slight difference between the initial consent prompt ("...needs your permission to..."), and the subsequent confirmation prompt ("... needs you to confirm its permission to...").
Has anyone out there managed to get MFA to work in a sign-up policy in Azure AD B2C?
I've tried the sample described here:
https://azure.microsoft.com/sv-se/documentation/articles/active-directory-b2c-devquickstarts-api-dotnet/
But when I go through the sign-up process and click the Create button, I only get a blank page and not the second verification step with my mobile phone, which I guess is the expected result.
The URL I get redirected to is:
https://login.microsoftonline.com/[myb2cdirectory].onmicrosoft.com/B2C_1_SignupTest/api/SelfAsserted/confirmed?csrf_token=longtoken&tx=eyJUSUQiOiI0OTZiMzY4ZC03NDMxLTRjNTMtYjRmOS1iZDFmODEwZDJkY2UifQ&metrics=v1.0.1%3Bhttps%3A%2F%2Flogin.microsoftonline.com%2Fstatic%2Ftenant%2Fdefault%2FselfAsserted.cshtml%2C10%2C1%2C394%2C200%3B&p=B2C_1_SignupTest
Has anyone managed to get MFA to work with the sample or at all?
I wonder if I've missed some settings in my policy (besides enabling MFA...).
Thanks!
Erik
I have performed following the article: active-directory-b2c-devquickstarts-api-dotnet. It doesn't have the problem.
Please make sure you have not missed any vital steps:
When you click "Application",enter a name, and toggle the Include web app / web API switch to Yes.
The Reply URLs need a default url.
And go to Sign-up policies add page ,keyin name and Identity providers.
Then Run now again
Last few weeks I'm trying to solve one BIG problem with Azure Active Directory and Oauth authorization.
Now we have Azure AD tenant and API application in that tenant. We use it for Oauth and Office 365 API. Everything is ok, except one thing - our users cant change their passwords by themselves, they have to write administrators (>10K users). We want to enable ADFS and give them ability to change password.
We tried few times to enable ADFS and change auth type from Managed to Federated, but after that users cant log in our app.
If they click "log in" in our application it opens URL like:
https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=...&resource=https://outlook.office365.com/
When they try to sign in there they get error:
"User account ... from external identity provider ... is not supported for application ..."
AND!
If they sign in first in ADFS and after that sign in application - everything is ok.
So, what should we do to rnable ADFS and use API applications?
Sorry for bad description and bad english.