I would like to implement JWT SSO for Zendesk with Azure AD B2C custom policies. For some internal reasons, we cannot use SAML.
My problem is Zendesk requires that the return URI respect the format
https://yoursubdmain.zendesk.com/access/jwt?jwt={payload}
But by default, using Microsoft samples, the return uri is :
https://yoursubdmain.zendesk.com/access/jwt#id_token={payload}
I am new user of custom policies, I have no idea how I can change the format of the Redirect URI.
You cannot change the way AAD B2C return the tokens in the query parameters. You might have to build a proxy to transform the response from AAD B2C and send it to zendesk. Or use SAML.
Related
I am creating a custom policy to use Azure B2C as an IdP to integrate with a legacy auth service. The legacy service and the new IdP share a secret.
The legacy auth service has a custom authentication flow and requires that an HMACSHA256-based challenge token is sent to it as part of its Auth process using the shared secret as the key.
I am unable to find a way to create/transform a token to an HMACSHA256-based output claim. What are the recommended patterns to address a situation such as mine?
I tried https://learn.microsoft.com/en-us/azure/active-directory-b2c/general-transformations#hash
but the computed hashes do not match.
Azure AD B2C doesn't create or transform HMACSHA254 token.
Also, it is not possible to do transformations on the resulting token. Claim transformation will only apply to claims in the claims bag.
While creating a custom IDP for my Azure AD B2C service I get the following error:
I did validate the JSON content for the JWKS endpoint on an online json lint and it validated it fine. Is there any specific expected format of the JSON content?
You should be providing the well known OIDC endpoint. The JWKS URI is referenced from within the well known OIDC endpoint.
I would like to set up authorization in a dotnet web api project using Azure B2C with device code flow.
I have successfully set up this sample https://github.com/Azure-Samples/active-directory-b2c-dotnetcore-webapi with my Azure B2C tenant and my custom signin policy. I can obtain an access token using Postman if I select the OAuth 2.0 authorization type.
Now I would like to use Postman to obtain an access token and call my API using device code flow. The problem is I can't find any documentation or sample on how to do this. The docs show how to do this using a regular Azure tenant, not a B2C tenant having a custom singin policy.
I can obtain a device code using Postman and go to https://microsoft.com/devicelogin and use that code, but I can't log in using the users I set up in my B2C tenant. Also, I can't find any way to make it use my own custom signin policy defined in my B2C tenant.
Is there any way to use device code flow with an Azure B2C tenant?
Based on the documentation https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oidc it is not supported.
Only authorization code/hybrid/implicit flows are supported.
We created an application in Azure B2C to use the OIDC implicit Grant flow. We have configured the Userflow policy(SignIn and SignUp) to customize the homepage layout and to get the custom claims in response. We are using Azure B2C as External Identity Provider (IdP) in our application. When user clicks the Login Button in our application we are redirecting the user the Azure B2C for Authentication and we are able to get the Access Token in response. But we are facing constrain in Getting the User Profile through the UserInfo enpoint. We have tried out both the Graph API endpoint and Azure B2C OIDC userinfo enpoint but neither of them are compatible with the Userflow policy.
I believe the workaround suggested is applicable only if we need to grab some extra input from user (during sign-up) or input validation and then pass that claim to application. It will unnecessary require using "Identity Experience Framework" feature which is ideally required for custom login/signup journey and is not available under free license.
What I understand from you requirement is you need to pass built-in Azure AD attributes to application and which shall be doable by selecting extra claims from "User Flow" signup-SignIn policy. Is not there any alternative to make call to "userinfo" endpoint out of box ?? Any Microsoft expert here, please clarify.
As of now, Azure AD B2C does not support the UserInfo endpoint through User-flow policy.
Right now, it is being supported only through Custom Policies.
You can vote for this feature on Azure AD User Voice.
A workaround is that you could integrate a Rest API to retrieve the extra claims.
See reference here.
I'm using an App Service with EasyAuth, integrated with B2C. Within B2C I've configured the OpenID Connect provider to point back to our corporate AAD tenant. The user journey and authentication are working as desired, however the user's sub and oid that are returned to EasyAuth contain the id of the user's B2C object, not from originating AAD tenant as I'd hoped. Anyway around this? Are custom policies needed?
Also referenced here on the B2C docs site:
https://github.com/MicrosoftDocs/azure-docs/issues/14209#issuecomment-459063758
Thanks
Yes, you will need to use a custom policy to pass the oid of the AAD user (from the AAD token) as an additional claim in the B2C token.