I have SPA made by react.
And user authentication is done with Azure AD B2C.
Right now, we are trying to figure out a mechanism to get an access token to access the backend after a user logs in.
The backend is Azure functions.
I think it is set up through "Application Registration" in Azure AD B2C, but I don't know the details.
I see that there is an azure functions URL
http://[yourapp].azurewebsites.net/api/[funcname]?code=[functionkey]
but where should I set it?
Please tell me...
No, functionkey is an authorization at the function level, it has no relationship with Azure AD B2C. You need to add some code to send the received bearer token against Azure AD to validate it.
There's a full sample about how to do it in here: https://medium.com/cheranga/azure-functions-validate-azure-active-directory-tokens-using-your-own-custom-binding-4b4ff648d8ac
Related
I configured a new Azure AD B2C Tenant for testing purposes. I am trying to follow the example to use Azure AD B2C with Android.
https://github.com/Azure-Samples/active-directory-b2c-android-native-appauth
I created beside the B2C Tenant already a User Flow for the login.
During the authentication flow the app wants to read the "well known openid configuration" for my User Flow
https://login.microsoftonline.com/geomobilestage.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_login_signin
but the URL returns a 404 error. But when I try the following URL to read the configuration I receive http status 200
https://geomobilestage.b2clogin.com/geomobilestage.onmicrosoft.com/B2C_1_login_signin/v2.0/.well-known/openid-configuration
The URLs are public so everyone can try to call them in the browser to see the result.
So the configuration itself exists and seems to be ok. I have already another Azure AD B2C tenant and when I try to call the first URL for this tenant everything is fine. It seems to be that I am missing some configuration in the Azure portal but I really have no idea what I am missing and even where to look.
Regards
Michael
For Azure AD, see here:
https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
For Azure AD B2C, see here:
https://{domain-name}.b2clogin.com/{domain-name}.onmicrosoft.com/{policy}/v2.0/.well-known/openid-configuration
The key thing here is to realize that the b2c config endpoint has a reference to a policy in it, otherwise it’s likely AAD.
I am a bit confused by the wording on the announcement for the deprecation of login.microsoftonline.com for "B2C tenants".
New tenants created after this announcement will no longer be able to accept requests from login.microsoftonline.com.
My main concern is: How will this affect the client credentials grant? As far as I can see, this is only supported via login.microsoftonline.com.
Although client credential flow is not currently supported by Azure AD B2C, you can set up client credential flow using Azure AD. An Azure AD B2C tenant shares some functionality with Azure AD enterprise tenants. The client credential flow is supported using the Azure AD functionality of the Azure AD B2C tenant.
Will the "Azure AD functionality" continue to work with login.microsoftonline.com indefinitely? If so, where can I draw the line of what this actually means?
I have created a new B2C tenant after the announcement. So far, everything works, even the B2C user flows via login.microsoftonline.com. The only difference at the moment is that I don't get the domain selection when I click on "run user flow".
My current understanding would be that "everything that uses B2C policies must use b2clogin.com" - everything else must continue to use login.microsoftonline.com.
Without policy:
https://login.microsoftonline.com/mytesttenant.onmicrosoft.com/oauth2/v2.0/token => working URL
https://mytesttenant.b2clogin.com/mytesttenant.onmicrosoft.com/oauth2/v2.0/token => 404
With policy:
https://login.microsoftonline.com/mytesttenant.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_signupsignin => working URL
https://mytesttenant.b2clogin.com/mytesttenant.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_signupsignin => working URL
(my tenant is not actually named mytesttenant)
I think you will still be able to use client credentials flow in Azure AD B2C tenant.
The deprecation of login.microsoftonline.com just affects the Azure AD B2C functionality.
However, the client credentials flow is an Azure AD functionality, it should not be affected, the B2C tenant just shares the functionality with the normal Azure AD tenant.
I have created a new B2C tenant after the announcement. So far, everything works, even the B2C user flows via login.microsoftonline.com. The only difference at the moment is that I don't get the domain selection when I click on "run user flow".
I suppose we can but we should not do this, as the UI has been changed, MS should not want the new users(create B2C tenant after the announcement) of Azure B2C to use login.microsoftonline.com, the implementation has not been changed, it will give other users a transition period.
I got an official answer back via Github.
Use of b2clogin.com is enforced for b2c functionality only. Client Credentials flow is not supported for B2C Applications. Since the App registered via App Registration under Azure AD B2C, can also be used for standard Azure AD as well which supports Client Credentials flow. For standard AAD functionality, use of b2clogin.com is not applicable and requires login.microsoftonline.com only.
For more details, refer to: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-apps#daemonsserver-side-applications
I would like to set up authorization in a dotnet web api project using Azure B2C with device code flow.
I have successfully set up this sample https://github.com/Azure-Samples/active-directory-b2c-dotnetcore-webapi with my Azure B2C tenant and my custom signin policy. I can obtain an access token using Postman if I select the OAuth 2.0 authorization type.
Now I would like to use Postman to obtain an access token and call my API using device code flow. The problem is I can't find any documentation or sample on how to do this. The docs show how to do this using a regular Azure tenant, not a B2C tenant having a custom singin policy.
I can obtain a device code using Postman and go to https://microsoft.com/devicelogin and use that code, but I can't log in using the users I set up in my B2C tenant. Also, I can't find any way to make it use my own custom signin policy defined in my B2C tenant.
Is there any way to use device code flow with an Azure B2C tenant?
Based on the documentation https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oidc it is not supported.
Only authorization code/hybrid/implicit flows are supported.
I have an API which is set up with "Azure AD B2C" authentication. I want to access my API from an Azure function. However, Azure Ad B2C has few limitations. I think I cannot get "Azure AD B2C" token without user interaction. My Azure function is running in a scheduled mode and will not have any user interaction. B2C documentation says "Daemons/server-side apps" are not supported with Azure AD B2C. Can someone help me how do I resolve this?
One of my colleagues was thinking that we should also let the API accept "Azure AD" token. Since "Azure AD" offers client credential flow. But I am not sure if we can make the API accept both "Azure AD B2C" and "Azure AD" authentication at a time. Also, I am not sure if this is even a good idea
You are correct, B2C requires user interaction to receive a token*.
But I am not sure if we can make the API accept both "Azure AD B2C" and "Azure AD" authentication at a time.
Yes, you can do this (I will find a sample or create one).
Also, I am not sure if this is even a good idea
I don’t see why not. You are saying you have multiple STS’s you trust, nothing wrong with that.
*The ROPC flow is in private preview but from what I’ve read I wouldn’t use it.
I have an application that authenticates users agains Azure AD using OAuth and I want to provide the ability to setup certain information associated to each user by his admin in Azure AD, so I can read it as part of the authentication process. I would also like to be able to use the claims functionality provided by Azure ActiveDirectory so the admin can define custom mappings between user attributes in his AD and what I am going to read, as explained here.
Apparently those claims can only be read from a SAML token that would be the result of a SAML authentication, but since I am already authenticating using OAuth I would like to avoid having to do that. My question therefore is: can those SAML tokens or the information contained in them be obtained somehow either as part of the OAuth authentication process or afterwards?
When you say "provided by ActiveDirectory" you mean Azure AD not on-premises AD?
There is no way currently to add claims to the token in Azure AD. They are "canned".
That link you refer to is for SaaS application in Azure.
The way to get information out of Azure AD is via the Graph API.