I have a mobile application that uses B2C UserFlow to authenticate the user.
But for more flexibility, we would like to design the screens and just send the user credentials to Microsoft Graph to authenticate and receive the token.
So far I haven't found anything that tells me that Microsoft Graph can authenticate a user in B2C.
Does anyone know if this is possible?
Related
Can someone provide a general approach to meeting these requirements? I've spent a bit of time researching these various topics and attempting to implement solutions and I'm surprised at how much work is involved. Hopefully I'm missing something.
How do I invite consumer users to a B2C tenant so that they can authenticate into our application using their social accounts (ex: Personal Microsoft or Google accounts)? The only baked in solution on the Azure Portal I've found uses B2C local accounts. Note that I do not want to use a publicly accessible Sign Up flow.
Presently I'm looking into a custom process that would work by inviting users to a 'local' b2c consumer account and then allowing the user to associate their social account with the local account.
Once users have authenticated (using MSAL v2 Auth Flow w/PKCE), I want to retrieve a list of permissions the user has for our application.
I'm looking into two options here:
(1) use the auth token to verify user against an internal API that, in turn, makes a call to the Microsoft Graph API to get the user's group memberships.
(2) Create a custom claim that serves the same purpose as user groups
Administrative users of our application need to be able to invite additional users to the application.
I've found some articles that point, again, to using custom policies.
Thank you very much!
EDIT #1 -
Looking into using B2C & Microsoft Graph API I came across some decent, and recent, MS Resources:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-operations
And this important-to-me statement -> Microsoft January 28th, 2021:
"Although the OAuth 2.0 client credentials grant flow is not currently directly supported by the Azure AD B2C authentication service, you can set up client credential flow using Azure AD and the Microsoft identity platform /token endpoint for an application in your Azure AD B2C tenant. An Azure AD B2C tenant shares some functionality with Azure AD enterprise tenants."
I'll update my post when I find a solution. Thanks again!
You need to use custom policies.
For first bullet point, see my sample:
https://github.com/azure-ad-b2c/samples/tree/master/policies/link-local-account-with-federated-account
You could do either option. For option 1, AAD B2C can call your api which can call graph api to fetch groups. Then embed the info into the token. For option 2, you could write a role value to an extension attribute and return it in the token.
To invite users, you could use the invite sample. Essentially make an app that calls an API to generate these invite links and send those to the users email. The user clicks the link which allows them to complete their sign up.
https://github.com/azure-ad-b2c/samples/tree/master/policies/invite
How can I implement a native custom login (and register) screen that connects towards a Microsoft Azure AD B2C?
This is the setup:
I have a mobile application developed in Xcode/Swift that...
...needs to register and login (new) users agains an Azure Active Directory B2C (notice the B2C here, as there are also other AD solutions by Microsoft)
The solution that Microsoft offers can be found here: https://github.com/Azure-Samples/active-directory-b2c-ios-swift-native-msal. But this opens a safari window which is not the user experience I am looking for:
Instead I want to build a native login screen (UIViewController) with my own layout and design, but still want to use the Azure Active Directory B2C.
How could this be done?
For sign-in, you can implement a native page that integrates with a resource owner password credentials policy in the Azure AD B2C tenant, which will enable a user's credentials to be POSTed to the Azure AD B2C tenant for validation:
POST /tfp/yourtenant.onmicrosoft.com/B2C_1_ROPC_Auth/oauth2/v2.0/token HTTP/1.1
Host: yourtenant.b2clogin.com
Content-Type: application/x-www-form-urlencoded
grant_type=password&
username=leadiocl%40trashmail.ws&
password=Passxword1&
scope=openid+bef22d56-552f-4a5b-b90a-1988a7d634ce+offline_access
client_id=bef22d56-552f-4a5b-b90a-1988a7d634ce&
response_type=token+id_token
For sign-up, a client credential is required to request an access token for the Azure AD Graph API to create an Azure AD B2C user, so if you are wanting to implement a native page then you will have to consider also implementing a backend/proxy API that protects the client credential.
I'm trying to build a setup where my Xamarin forms app authenticates with Facebook, and when done gets a token from the Azure AD B2C to use when requesting data from my API.
So far I have native Facebook login up and running, meaning no web UI login, but uses the user's Facebook app and I get a the Facebook access token. This is the one I want to use when requesting a token from the Azure AD B2C
My issue now is how I should integrate this with Azure AD B2C. I want the API to be protected using Azure AD B2C and that part is enabled too, but I need the App to request a token before it can access my API. This is the part where I'm not sure if it is possible yet, with out letting the Azure AD popup with some UI.....
At this time, Azure AD B2C does not support acknowledging authentication that occurred outside of B2C.
You should request either support for the Facebook SDK and/or more broadly, supporting swapping tokens obtained outside of B2C for B2C tokens via the Azure AD B2C feedback forum
When using Facebook as the IDP for Azure AD B2C, it appears that B2C isn't using the FB SDK correctly.
Using FB's guidelines found here, I would expect scenario 2 and 3 below to log out of Facebook:
A person logs into Facebook, then logs into your app. Upon logging
out from your app, the person is still logged into Facebook.
A person logs into your app and into Facebook as part of your app's
login flow. Upon logging out from your app, the user is also logged
out of Facebook.
A person logs into another app and into Facebook as part of the
other app's login flow, then logs into your app. Upon logging out
from either app, the user is logged out of Facebook.
When we log out of our application, Facebook is staying logged in, which is NOT the desired behaviour.
Similar question was asked previously on Technet.
Is there a way to make this happen, or is this feature on the B2C roadmap?
Azure AD B2C does not support signing you out from the external identity provider, be it Facebook, Google or a custom OIDC/SAML/WS-Fed identity provider. It only signs you out from Azure AD B2C.
Currently, Azure AD B2C does not disambiguate whether you were already signed-in to the external identity provider or signed in to it as part of signing in to Azure AD B2C, so it can only either always keep you signed in or always sign you out. The latter option is rather invasive, thus Azure AD B2C opts for keeping you signed in, which is in line with Facebook's #1 guideline.
You can request support for this more advanced detection and sign out logic via the Azure AD B2C feedback forum.
Note: This question is similar to: Azure AD B2C OpenID Connect single logout with WS-Federation and SAML claims provider
I'm comparing the new AD B2C features with the social authentication ability in Azure web service. Using the AD B2C approach I can't seem to find a way to do access the underlying access token from a social provider like facebook.
E.g. in Azure Web Services social authentication there was an http://example.com/.auth/me endpoint that would provide BACK the token to access the social provider's api.
Is that not available in B2C? If not that seems like a step backwards.
From what I can see, the answer is no (although I wish there was a way).
See this:
https://blogs.msdn.microsoft.com/appserviceteam/2016/06/22/app-service-auth-and-azure-ad-b2c/
OAuth Tokens: With Easy Auth, the application code has direct access to the provider-specific OAuth tokens. This is useful if you want to make graph API calls on behalf of the logged-in user (for example, calling the Facebook Graph to post a photo to the user’s timeline). B2C, however, does not expose the provider OAuth tokens to your application code.