I am building a Blazor Server web app that will have locked features only accessible via paid subscription (payment handled with stripe).
I am using Azure AD B2C for user management/authentication.
I also have an Android and iOS app built with Xamarin, from which users will be able to subscribe to the service (payment handled with Android/iOS built-in payment service), and therefore have full access to the web app.
What is the right approach to save the fact that a user has completed payment, and retrieve that data on future sign up ?
I read about custom attributes in Azure AD B2C, so maybe I should build the system on top of Azure AD B2C, but I am not sure it is the appropriate approach for this use case.
Thanks in advance
Yes, you could use a custom policy and custom attributes if you have a simple system where you just want to store a value and deny access during login if the value is not set.
For anything more complicated, rather store all the details in a DB and access it via a REST API.
Update
You can access the attribute direct from custom policies. You just read and write it like any other attribute.
If you want to use the Graph API, be aware the name is different.
Related
Users in Azure Active Directory Azure
App Services for WebSite and Services
I am creating a Web Site that a Manager would authenticate with using an Azure Active Directory account. That website would offer up sales data on the staff they manage.
The service that returns the sales data for staff member A will be being called on behalf of the manager.
My question is what is the correct way to flow the "identity" of the logged in manager through the calls to the various services.
Do I simply protect the services with a System Level authentication at the level of the website and pass the manager's user identifier as a parameter in the request?
OR
Do I try and flow the oauth identity onward to the services so that they are called in the security context of the manager? If using this approach how would I do that?
In my opinion, if the your business doesn't have a high security requirement, the first option is great. But if you want higher security, you can use second option.
For second option, you need to register an application in your azure ad for your app service. Follow steps on this page. And register another application in AD to represent client app by following these steps. Then go to your client app and grant permissions to allow the client-app to call the backend-app. After that, the manager need to get access token before request the api in your app server to return sales data.
This Azure sample shows exactly what we want to acheive with an ASpNet Core Web Site calling own AspNet Core Service secured with our Active Directooy organisation
I am having some issues getting it to work but this sampple is what I was hoping for from asking this qeuestion. FWIW here is the seperate question covering the specific issue I am having implementing the sample, Why Http 401 when calling AspNet Core API secured with AAD. Our WebApp, Web API and AD Org
As part of "new customer onboarding process", we are going to develop custom application using Azure AD Graph API for synchronizing 3rd party tenant active directory user and group data with in our application’s data store.
What azure container should be best fit to hold custom business logic above requirement?
What authentication is required to connect & query 3rd party tenant?
Azure AD Graph API or LDAP query which is efficient/best fit ?
How any user or and group data changes in 3rd party tenant active directory will be notified to my custom application in order to sync up our application’s data store? Is it possible in LDAP approach?
We are in investigation phase
What azure container should be best fit to hold custom business logic above requirement?
This is quite a broad question, and one I cannot answer definitely.
But Web Jobs or Durable Functions could work.
What authentication is required to connect & query 3rd party tenant?
If this is like any tenant who starts using your app, then you'd register a multi-tenant app in your AAD and require application permissions to Read all users' basic/full info from Microsoft Graph API.
You then need to provide a functionality to the 3rd party tenant admin to consent to those permissions.
This means you'd need to redirect them to login to your app, at which time they'll be asked for permissions.
The topic of consent alone is a bit complex, the documentation is here though: https://learn.microsoft.com/en-us/azure/active-directory/develop/consent-framework.
Your app can then use Client Credential authentication in the background to get an access token for MS Graph API and do the sync / register for change notifications.
Azure AD Graph API or LDAP query which is efficient/best fit ?
Neither, use Microsoft Graph API.
How any user or and group data changes in 3rd party tenant active directory will be notified to my custom application in order to sync up our application’s data store?
You can get change notifications: https://learn.microsoft.com/en-us/graph/api/resources/webhooks?view=graph-rest-1.0.
But you'll probably need to make a full sync as well so that all works in case you miss some updates.
The simplest solution is just a full sync that runs on a schedule.
It isn't fast or efficient but it is quite reliable.
This is basically a follow up to my prev question - https://stackoverflow.com/a/44738654/2896495. I've implemented an Azure B2C sign up and auth in my web app (.NET Core 2.0) and now I want to add a custom sign up logic with Graph API (as described here - https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet).
But I'm confused about app registrations. For B2C auth I created an app in the Portal under Azure AD B2C -> Applications. Now, in order to use custom sign up logic I need another app registration under Portal -> App Registrations -> New Application Registration (where I can grant necessary permissions to Azure AD, like Read and Write directory data).
So, if I need auth AND custom sigh up, how should I set up my app? What's the right way of doing this?
For simplicity's sake, as well as a healthy separation of concerns, I would indeed make a separate app for the custom sign-up. It doesn't have to be a full-fledged app, a microservice that does the sign-ups for the main B2C app would be fine.
If you want to use the custom attribute to implement the custom sign up process, you need to register two apps as the document you mentioned in the post. One app is for integrating with Azure AD B2C for login, and the other is using the Azure AD Graph to query the custom attribute.
After that, you can using the Azure AD Graph REST to query the relative info and handle your own business logic in the web app. And to query the extension info, we just need to query the user info like below:
If you are just trying to have your own look and feel, as opposed to the default templates with your logos and other branding, then look into providing a template for UI customizations:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-ui-customization
Also, see this other answer to a similar question:
Azure AD B2C UI Customization
If you are trying for a whole different workflow, the you will want to create a custom policy.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview-custom
Or if that does not work, then I guess you could just use the GraphApi, but that is the most laborious of options and completely destroys the entire purpose of using B2C in the first place. I do not recommend this approach.
Update:
I would not do everything you want to do in a custom policy. Separating the signup into it's own application/service would be a great approach (as #camsoper suggested), but only use the policies for the bare amount needed to create the initial account or authenticate an approved user. I've never used a policy to change the "accountActive" attribute, but I would be inclined to use the GraphApi to modify the user profile after the account is created by using the "NewAccount" attribute to key off. There is a "Block sign in" setting on a users profile in the azure portal which can be used to restrict access (and the signup application could set the default after the account is created), but I'm not sure if that corresponds to the "accountActive" attribute or not (yet).
Most of the administration you've described can be done in the azure portal, such as changing the "Block sign in" setting on a users profile can be used to restrict access (and the signup application could set the default after the account is created). If there is some capability that the portal does not offer, I would put that into a separate application. Avoid duplicating functionality in your customized admin app, and instead just redirect the admin to the users profile in "portal.azure.com".
https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserDetailsMenuBlade/Profile/userId/{objectId}
Note: there may be some issues with that URL template if the admin has access to more than one Directory for her account. It will try to pull up the directory that her account was created on by default.
my question is similar to question Multi-Tenant app - OneDrive Business API
but i want my application to access the one drive from tenants of other different azure subscription, is it possible? i understood that if i register my application and mark it as multi-tenant, it will allow me access the tenant in my azure subscription, but if i want to access the tenant using the same application but in different azure subscription whats the way.
What’s kind of authentication flow are you using? Normally, we use the Authorization Code Grant Flow that the user delegates access to a web application. In this scenario, to enables the users on other tenants to login the website and access their Office 365 resource, we only need to enable the multiple-tenant app on the Azure portal.
but if i want to access the tenant using the same application but in different azure subscription whats the way.
It depends on which REST you were using. It is same as we are call the REST API for the single tenant app if we are using the Microsoft Graph to query the OneDrive for business. The endpoint of the list children of a driveItem is still like below no matter which tenant the user login:
GET https://graph.microsoft.com/v1.0/me/drive/root/children
GET https://graph.microsoft.com/v1.0/me/drive/items/{item-id}/children
GET https://graph.microsoft.com/v1.0/me/drive/root:/{item-path}:/children
If you were using the Office 365 REST API, we need to discover the service endpoint. You can refer to here for more detail about Office 365 Discovery Service REST API.
Depending on the permissions that you need normally the tenant admin of the other tenant has to add the application to their own Azure AD. With the newer app model v2 this is quite a lot easier as the admin can simply give consent once in the normal consent screen for the entire tenant. See here for a mor elaborate explanation of how this would work.
I want to store user information to a db after a user successfully logged in via a social provider (google, facebook, etc.) without calling an extra api on the client side.
In azure mobile services this is done by creating a class that inherity from e.g. GoogleLoginProvider and then by overwriting the CreateCredentials method.
See this post: Save information immediately after Google login in Azure Mobile Services (.NET Back-end)
But how can I archive the same behaviour in Azure App Services?
Thanks
Unfortunately this is not possible with App Service authentication. The authentication happens outside of your application and there aren't currently any direct hooks into the authentication pipeline. This also means you will not be able to inject custom claims into the ClaimsIdentity.
We are aware of some of these scenarios and want to try and address them, but don't have any timelines to share at this point. I believe the separate API call into the backend will be required in order for you to implement your registration. As far as implementing role-based access control, you will likely need to store the additional user metadata elsewhere.