I have a usecase to integrate “ADB2C” with a “Java application” for a user authentication, and we are using a Microsoft MSAL libraries in the integration .
And here is a scenario that I’m facing currently, once a user navigates to the java web application and hit “Login” button then user redirect to the B2C SignIn page and user is getting authenticated successfully and we are receiving an access token successfully.
But, after user loggedIn and try accessing an authenticated apps on the website, then it’s asking the user to login again which is unexpected.
Please suggest me on this scenario, whether the changes have to make in the code or B2C custom policy side to overcome this issue. I really appreciate your time in considering this.
Related
Good afternoon experts,
I have a Django web application (it is not internet-facing) and so far I used the django.contrib.auth.backends.ModelBackend to authenticate the users.
However I want to integrate this webapp to an existing SSO solution (like Azure AD) so I thought python3-saml would be a good library to be used (more specifically I use python3-saml-django but it is just a wrapper around python3-saml).
Probably I am missing some fundamental point as I don't really understand how this should work.
When I used ModelBackend then I had a login form where the user could type their username+password which was checked against Django database and the authentication was completed. Should the same work with SSO too? i.e. the login form appears, the user will type their credentials but they will be checked in Azure AD instead of Django auth tables? Or the custom login form of that specific auth solution (in this case Azure AD -> Microsoft login form) should be displayed...?
The LOGIN_URL setting is configured in my Django app so if no user is logged in then automatically my login form appears.
Also I set the AUTHENTICATION_BACKENDS setting and it points only to django_saml.backends.SamlUserBAckend.
I configured AZure AD (registered the app and added a user, I tested it in Azure AD console) hopefully correctly. I also populated python3-saml's settings.json with login/logout URL, etc.
Whenever I try to log in with the Azure AD user I got an auth error (the user and password did).
I am just wondering if somebody could shed some light please how this should work? Can I debug the SAML requests / responses?
auth is token based in azure ad and it will redirect the user to the microsoft login. You will receive an auth token which then you can use to for authorization and providing secure pages.
First register your app in azure portal in azure active directory and also create a user flow.
Then download MSAL for python (using pip) which is used for auth using azure ad for python.
The basic architecture is that when the user tries to login the Microsoft login page will be shown, after signing in your app will receive a token which then you should use to show the logged in pages.
References:
quickstart for auth in python
userflow
MSAL Library
According to the documentation here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-profile-editing-policy?pivots=b2c-custom-policy. The profile edit flow will show the Sign-up or sign-in page, if there are no active session. If the session is active, then Azure AD B2C authorizes the user, and skips to the next step.
However, if I understand correctly, this 'session' would be in the form of a cookie right? If that's the case, what would happen with mobile apps?
Mobile app doesn't use cookies. After login in, they only have the id token, access token and refresher token. So if a user is logs in on an app, and then to do a profile edit flow, how would the app tell the browser that the user is already logged in?
If you are using the web view redirect flow, a cookie is set in the web view which then gives SSO for profile edit. You don’t need to configure anything in B2C to make it behave like this, it’s default.
I have created azure ad b2c custom sign-in policy with KMSI(keep me sign in) option, and using it in blazor server application,
But automatic sign in not working after browser close, Need to click 'Login' button.
After click login button no need to enter credential again, if at the time of previous sign-in KMSI check box checked.
But I want to sign-in automatically if at the time of sign in KMSI check box checked.
Could you check the authorization request the app sends to Azure AD B2C, whether it contains the prompt=login query string parameter? If yes, please make sure to remove this param.
This is expected, your app cookie is not persisted, so the app has no idea you’re still logged in at B2C. Therefore you have to click login in the app and then you get SSO through AAD B2C.
You could maintain a cookie set by the app to automatically send the user via the login endpoint if they had signed in previously with KMSI. You can use a claims resolver to send the KMSI claim into the token so your app can understand the user logged in with KMSI.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/claim-resolver-overview
I tested KMSI functionality on my side, and I can repro your symptom. My test is based on this demo: https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi
This is my test process below:
Registering a local account.
Login by this account, and enabled KMSI
I logged in successfully:
Close the browser, reopen it and got to my app index, my index page is allowed to be visited by anonymous, so it not knows who am I: I think this is the issue that you are concerned about:
But when I click “Claims” tag which users are needed to be authenticated, it redirected to my b2c domain :
As I enabled KMSI, so there is a cookie under my b2c domain:
As this cookie exists, B2C will provide me with the resource I requested for: b2c side sends a request to redirect URL with id token and code :
Finally, it redirected to “Claim” page and this app knows who am I :
In a word, there are two kinds of sessions here: a session between user and B2C and a session between the user and your application.
Once you close your browser, by default, you will lose the cookie that user on your application, so users access to some page with no auth needed of your app after reopening the browser, there will be no cookie, your application not know the user. But on the B2C side, this cookie will be persisted there due to KMSI. Only users request some functionality needs to be authenticated on your app, users will be redirected to the B2C domain and B2C will send users’ information to your app will make KMSI work.
In my opinion, maybe extending the lifetime of your application cookie will be a solution here. At the same time, you also need to expand session timeout to make sure that your application could recognize that long lifetime cookie. But as we know, it will be a high consumption for server RAM if it holds lots of sessions.
Issue summary:
msal.logout() appears to log the user out, but after "logging out" the user can click "login" and be logged in again without being required to enter their username and password.
This is a serious security issue for user's who login to our application on a public computer, then logout thinking that they have prevented someone from accessing their account.
Frontend is using Angular-msal 1.0.0 (Angular-oauth2-oidc has the same issue, so I think it's not the problem of js library).
Azure AD B2C built in user flow and xml custom policy both have this logout issue when login with federated AAD tenant user.
Any help would be appreciated.
Thanks.
The MSAL library provides a logout method that clears the cache in browser storage and sends a sign-out request to Azure Active Directory (Azure AD). Request will be done against the end_session_endpoint URL obtained from the B2C policy metadata. Keep in mind single sign out is supported only by custom policies and that it's scoped to the same browser, not device.
Just in case you are still facing any issue an idea would be to redirect using &prompt=loginin your auth url will revoke your login request with out user session.
I have an application that uses Azure B2C.
If the starting point for a user is my application, it's easy to add an external identity provider, such as Facebook or Google.
It would follow the standard OAuth flow of:
Go to my site
Click login
Get redirected to B2C
Click the Facebook button and log in
B2C returns authenticated user details to my site.
However, I now have the situation where my site is not the starting point.
The flow is:
User is logged in at 'Company A'
User clicks a button to go to my site
An authentication step occurs automatically
User is now authenticated on my site.
If I were in charge of Authentication (using ASP.NET Identity, for example), 'Company A' could call an API on my site with a single use code, I could send back the token. Then when the user was redirected, I could get that token back from 'Company A'.
However, not being in charge of the auth step, I'm having trouble.
I don't think we want to be using a SAML flow (different spec). The SSO Session Overview doesn't seem to be of much help. There might be something in custom policies that can do this, but I'm lost.
I think the doc I need might need is 'Pass an access token though a custom policy', but the fact they use Facebook in the example confuses me, as facebook wouldn't be calling Azure B2C, or Passing me anything about Facebook that I can use to send to B2C.
So, using Azure B2C, how can I get a user who is logged into another site to be logged in to my site automatically please?