I have setup a azure ad b2c service to sign up/ sign in my users and have used third party identity providers google and microsoft. After successful logging in, I get idp_access_token
back from b2c service. Can I use this token to directly connect to google and microsoft api
as azure docs mention, this token is issued by identity providers and returned as claims by b2c service. But the idp_access_token doesn't seem to be a valid access token and no claims are included in it.
To get a valid "idp_access_token", please check if you have to set "v2.0" in the metaurl of the OpenId Identity Provider Configuration:
https://xxx.b2clogin.com/xxxx.onmicrosoft.com/v2.0/.well-known/openid-configuration
We maynot be able to edit metadeta url of already created one .So try create new one with "v2.0" in metaurl.
When a user signs with identity provider, like google or Facebook, your app gets the identity provider's access token passed in Azure AD B2C token.This idp_access_token can be used call the identity provider’s API, such as the Facebook Graph API i.e;Usually the embedded IdP access token is used to call the services that the IdP hosts. For details see Pass an access token through a user flow to your application in Azure Active Directory B2C.
Reference: techcommunity.microsoft.com blog
Note :
Azure AD B2C supports passing the access token of OAuth 2.0 identity providers, which include Facebook and Google. For all other identity providers, the claim is returned blank.
Even if idp_access_token claim is a valid JWT, it cannot be used to access Microsoft Graph or other additional scopes. As usually the
embedded IdP access token is used to call the services that the IdP
hosts. But Microsoft Graph data is hosted in Azure AD and not in
Microsoft Account side.
You can check this microsoft document to Set up sign-up and sign-in with a Facebook account using Azure Active Directory B2C or with a Google account using Azure Active Directory B2C
References:
Using Azure B2C login to access Microsoft Graph is the social login is a Microsoft account
Related
I am getting this error when configuring an asp.net core app to use Azure AD B2C authentication with Microsoft Account as external identity provider.
AADSTS70000121: The passed grant is from a personal Microsoft account and is required to be sent to the /consumers or /common endpoint.
As per my findings on SO and Microsoft documentation on the same, it points to use following as authority
in appsettings.json:
"Authority": "https://login.microsoftonline.com/common",
The common endpoint is suggested by Azure AD b2c
documentation when you use Microsof Account as an identity provider.
While registering an application in Azure AD b2c tenant, I use following as Supported account types:
Accounts in any identity provider or organizational directory (for authenticating users with user flows)
So seems all is configured properly but still error suggest that I am not using common endpoint which in fact I am using it.
Links I followed:
How to acces AzureRM with a AzureAD Multi-Tenant App using personal Microsoft account?
Error getting SAML Metadata for Azure AD B2C Policy - AADB2C90022
I'd like to start with a Google Service Account credential (either opaque access token or ID JWT) and end with an Azure B2C credential. Is something like this possible with Azure? I'm not seeing any APIs for doing it: https://learn.microsoft.com/en-us/azure/active-directory-b2c/openid-connect
Note: this is conceptually similar (but different in terms of target identity) from another question I asked earlier:
Impersonate Azure Service Principal from a Google Service Account
EDIT: Our use case for this is exchanging Google Service Account credentials that represent an untrusted client (e.g. a user in the system), for a user token in Azure B2C. Unfortunately, this eliminates the client credentials flow, as mentioned in the comments.
Azure AD B2C only supports interactive federation flows with other identity providers.
Google service accounts are non interactive authentications. The only way AAD B2C can pass these credentials to Google would be through its REST API interface.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/restful-technical-profile
The credentials would need to be hard coded into the policy or through AAD B2C “policy keys”.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api?tabs=windows&pivots=b2c-custom-policy
From what I can see, AAD B2C REST API interface doesn’t support an authentication method that Google needs. So I would conclude it’s not possible.
I'm using an App Service with EasyAuth, integrated with B2C. Within B2C I've configured the OpenID Connect provider to point back to our corporate AAD tenant. The user journey and authentication are working as desired, however the user's sub and oid that are returned to EasyAuth contain the id of the user's B2C object, not from originating AAD tenant as I'd hoped. Anyway around this? Are custom policies needed?
Also referenced here on the B2C docs site:
https://github.com/MicrosoftDocs/azure-docs/issues/14209#issuecomment-459063758
Thanks
Yes, you will need to use a custom policy to pass the oid of the AAD user (from the AAD token) as an additional claim in the B2C token.
Can Azure AD B2C pass the "UserName/Email and Password" entered by end user to a third party trusted application for credentials validation and get the claims for the user on successful credentials validation by the App?
This scenario arises because, some of my users are in Azure AD B2C and some of the users are maintained in the custom user store and can't be moved to Azure AD B2C due to business reasons. Yet i want to provide same sign-in experience for both users.
The Wingtip sample contains an example of this integration.
See the "ClassicAccount" claims provider for reference.
This claims provider, which is implemented by a REST API, is integrated in to the sign-in user journey to sign users in using logins that are external to the Azure AD B2C directory.
Code for the REST API can be found in the same repository.
We have an application that uses multiple IDP for authentication. We receive a SAML token with some extra claims where we authenticate on. We also want to use Azure AD as a trusted IDP, but how can our customer add the required claims to their returned SAML token?
There is no option to add claims to the Azure AD generated SAML token. To do this you have to add your application to the Azure AD Application Gallery. For Azure AD premium user this can be done for your own applications that accept SAM.
For non Azure AD premium user you have to add your application to the Azure AD Gallery, see https://azure.microsoft.com/en-us/documentation/articles/active-directory-app-gallery-listing/.