I'm currently using Azure B2C as identity management server to give my Blazor Webassembly client access to a .NET core API, but find the sign in flow to be a bit clunky. I've looked at Google One Tap sign in which is much more smooth but I'm not sure if that can be integrated with Azure B2C or if I need to throw that out. Can Google One Tap signin be incorporated Azure B2C and what are the basic steps to do so? And if that is not possible what are my alternatives?
You can configure Azure AD B2C to allow users to sign in to your application with credentials from external identity providers like Facebook, Google and GitHub.
Google One Tap is part of Google Identity Service, it's a type of Google Authentication without using password and we can use Google Identity Service along side with Azure AD B2C.
First we need to to register Google as an identity provider for your Azure AD B2C tenant, as described in this document.
You need to create a sign-up or sign-in policy, as described at Azure Active Directory B2C: Built-in policies, and add Google as an identity provider for this policy.
Check this example of using Google Identity Provider with Azure AD B2C for more information.
Related
I'm investigating Azure AD B2C as a possible auth service, which we want to use for user management and authentication. We have a web application, Web API which we can easily integrate with AAD B2C and migrate our current authentication and user management.
However, I did not find any solution how to authenticate mobile applications and integrate it with azuere ad b2c. Our mobile app communicates also with web api but it does not need any user login. These applications are tied to a tenant and every mobile app instance has an API key that is used to authenticate the mobile app on the backend.
Is it possible with azure ad b2c to achieve that kind of authentication, that we will generate API keys for our mobile apps and will use the same ad in azure like the normal users? Is possible with azure ad b2c or we should use another azure service?
What are the best practices in this area? It is similar to the backend to backend communication where API keys are used. Thx.
The normal way for such a scenario would be to use the client credentials flow, where you use your ClientID + ClientSecret for a silent login in order to get a non-personalized AccessToken.
Although it seems that this type of flow is currently not supported by AD B2C. Have a look here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/application-types#current-limitations
As an alternative, that page is refering to the client credentials flow of the Microsoft Identity Platform (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow).
I guess it now depends on the detailed requirements of your application whether it could be an option for you to use.
Context
I've successfully created and configured a Azure B2C tenant and a ASP.NET Core 3.1 Web Application which uses AD B2C built in workflows to authenticate users.
Question
In the application described above the login forms (even they have customized design by me) are provided and hosted by Azure AD B2C infrastructure.
Is it possible to use my entirely custom login form (hosted in my web app), get the typed credentials from the uses, then call Azure AD B2C API to do the authentication, and get the token?... or it is not a supported scenario and asking for the credentials form is always must be hosted by the Azure AD B2C infrastructure...
From a web app this is not supported. We do support an ROPC flow from mobile apps.
I have enabled two identity providers i.e: facebook and google in my azure ad b2c tenant, but when I test them from within the portal with Run Now on the signup sign-in policy, only email option shows up, I've also tried and linked it up with my web app .NET CORE 2.0 app and there as well only email option shows up.
I followed official docs to create and save identity providers in my tenant, please let me know if there is an extra step which I don't know about. Following is a link to google + identity config
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-goog-app
Ensure that you have config the social identity data provider in the policy that you used to login. Refer the link below:
Azure Active Directory B2C: Built-in policies
Is it possible to use MSAL to allow a windows service to access a web api protected by Azure AD B2C? If not, what is the best way to allow a autonomous service to access an API protected by B2C.
This scenario should be addressed with the Client Credentials OAuth flow.
This is possible in Azure AD B2C, however, the experience isn't ideal.
To do achieve this, use "App Registration" blade in the Azure Portal to register a apps that define application permissions and then register apps that use client credentials to request these. You would effectively be using the same mechanism that you use in regular Azure AD, see Azure AD's "Daemon or Server Application to Web API" documentation
Important note: Make sure you are not using the Azure AD B2C blades for this.
You can support the ask for a first class experience by voting for this entry in the Azure AD B2C feedback forum: Support OAuth 2.0 Client Credential Flow
I don’t really understand the difference between Azure AD B2C Application and Azure App Registration Application.
I can see some of my Azure AD B2C applications in the Azure App Registration page, but the opposite is not true.
The good part of Azure App Registration is that you can request the Graph API if you have the right permissions and it’s not true for an Azure AD B2C Application.
https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
But it seems to be not possible to be authenticated with Azure AD B2C with an Azure App Registration application.
Do you know if there is a possibly to have all-in-one ? An application which can authorize AAD B2C authentication and request the Graph API.
The two sets of apps are completely independent of each other.
You should not be able to see any of the Azure AD B2C apps in the Application Registration portal (ARP). The only app that may be visible is the 'b2c-extensions-app', which is a system application that B2C uses to store information about users. Likewise, the apps in the ARP portal should not be visible in the B2C portal.
Unfortunately it is not possible to have an "all-in-one" app at the moment. You should vote for the feature here.
Depending on your scenario, you could register an application in both the portals, and use the right one depending on the request you need to make.
1) Currently it is not possible to use the same app registration for both Microsoft Graph API and Azure AD B2C.
a. Azure AD B2C Apps must be registered using the Azure AD B2C blade in the Azure portal.
b. Graph API applications can be registered either at https://apps.dev.microsoft.com/ or by creating an application in your Azure Active Directory tenant (but not under the Azure AD B2C blade).
2) Graph API currently does not accept tokens issued by Azure AD B2C. This means you may need a separate micro-service that will authenticate with Microsoft Graph using the ClientId / ClientSecret of your Graph API Application Registration. The instructions in the documentation will have you configure “create, read and update permissions” for your Graph API app registration. (https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet)