I’ve an app (app1) with Google social login implemented using Auth0. I can successfully login to this app with my google email and can see the token.
I’ve a REST api (api2) protected using Azure AD B2C with Google social login. I can call this API with a token returned by Azure AD B2C for my google email.
However the token returned by Auth0 and AzureAD B2C seems to be different, for the same google email.
How can I call the REST API in (API2) with auth token generated by app1 ? Based on my naive research I need to some token exchange through identity brokering. Any pointers or guidnace on how to would be greateful.
Thanks,
Mateen
I would suggest you to federate both app1 and api2 with same IDP either B2C or Auth0. As the API is protected with B2C, it will not trust the token issued by Auth0.
However, you may try adding Auth0 as IDP to B2C so that rather than B2C directly connecting to Google IDP, it connects via Auth0. In that case, the token passed to app1 and B2C (to access API) will be same. I have not personally tested it out but you may give it a try and I would recommend to go with my first suggestion.
Related
I've been trying to find how Azure B2C handles the token refresh when there is a third party IDP involved.
So, let's say I have an Azure B2C tenant, and I have added an identity provider configuration for a customer. Let's say that all users with the #customer.com email are redirected to 'Customer's' IDP for authentication. Lets say I have a mobile application which uses Azure B2C to obtain access and refresh tokens for an API that we own.
When the user accesses the mobile app for the first time, the mobile app redirects the user to Azure B2C. If there is no external identity provider involved, the user will login with a username and password to the local Azure B2C directory, and Azure B2C will return an access token and a refresh token to the mobile app. The mobile app will use the access token to access the backend API. When the access token expires, the app will submit the refresh token to Azure B2C to obtain a new access token and new refresh token. This much I understand.
Now, when we add an external identity provider, the mobile app redirects the user to Azure B2C, and then the user is redirected to the external IDP where they authenticate. A token is submitted back to Azure B2C authenticating the user, and Azure B2C issues an access token and refresh token to the mobile app. When the access token expires, the mobile app will submit the refresh token back to Azure B2C to obtain a new access token.
Now, I have the following questions:
Does Azure B2C connect back to the external IDP to verify the account status has not changed? If the account is disabled at the external customer's IDP, then Azure B2C should not issue a new access token.
If the external IDP (and underlying directory) has an update, such as to email address, or name of the user, how is that information going to be reflected in the refreshed token issued to the mobile app?
If Azure B2C does reach back out to the external IDP each time the B2C token is refreshed, what protocol does B2C use? Does it use OAuth and maintain it's own refresh token to the external IDP? Or, does it use Open ID Connect, and reinitiate the initial login process every time with the external IDP? If the latter, and there is no valid cookie or valid session at the external IDP, the user will have to go through a login or SSO flow on their external IDP again.
Ideally, I would like to have the external IDP dictate the lifetime of access tokens and refresh tokens by copying these claims from the external token to the Azure B2C issued token. I would like Azure B2C to make a roundtrip back to the external IDP each time the B2C token is refreshed, in order to insure the access is still valid, and that if any of the user's information changed it is reflected downstream in our apps. I also want the user of the mobile app to only have to login the one time (using refresh tokens), until the user's external IDP dictates that the token is no longer valid. Is this possible?
No. You would have to do this via Graph API.
In general, to get the claims updated you have to logout and login. However, it seems there's a fix for this on the way for B2C. See this. I doubt if this handles external IDP.
I am using Azure SSO Login to get authenticated to our own application.
Everything works fine except the fact that I would like to have JSON Web Token (JWT) which I could use in order to make some API calls to Microsoft Azure after login.
Azure SSO does not return JWT after login, is there any way to obtain it?
Mirko
Scenarios that you may refer to get idea in addition with #juunas suggestion:
This Microsoft docs tutorial of JavaScript single-page
application (SPA) signs in users and calls Microsoft Graph by using
the authorization code flow with PKCE. The SPA uses the Microsoft
Authentication Library (MSAL) for JavaScript v2.0.
This scenario uses js frontend and php backend with azure ad which might give an idea
Its Flow :
A user accesses front end
If the user is not authenticated, he will be redirected to Azure Active Directory (AAD) to login
AAD will redirect (on success) with an authorization token
We’ll inject this authorization token into the calls made to the backend (to prove your identity)
The backend API will validate the authorization token and verify it against the issuer (AAD)
Protect an API by using OAuth 2.0 with Azure Active Directory> This case registers two apps for azure AD - backend app and front end app ,uses validate-jwt policy to validate the OAuth token
I'm trying to build a setup where my Xamarin forms app authenticates with Facebook, and when done gets a token from the Azure AD B2C to use when requesting data from my API.
So far I have native Facebook login up and running, meaning no web UI login, but uses the user's Facebook app and I get a the Facebook access token. This is the one I want to use when requesting a token from the Azure AD B2C
My issue now is how I should integrate this with Azure AD B2C. I want the API to be protected using Azure AD B2C and that part is enabled too, but I need the App to request a token before it can access my API. This is the part where I'm not sure if it is possible yet, with out letting the Azure AD popup with some UI.....
At this time, Azure AD B2C does not support acknowledging authentication that occurred outside of B2C.
You should request either support for the Facebook SDK and/or more broadly, supporting swapping tokens obtained outside of B2C for B2C tokens via the Azure AD B2C feedback forum
When using Facebook as the IDP for Azure AD B2C, it appears that B2C isn't using the FB SDK correctly.
Using FB's guidelines found here, I would expect scenario 2 and 3 below to log out of Facebook:
A person logs into Facebook, then logs into your app. Upon logging
out from your app, the person is still logged into Facebook.
A person logs into your app and into Facebook as part of your app's
login flow. Upon logging out from your app, the user is also logged
out of Facebook.
A person logs into another app and into Facebook as part of the
other app's login flow, then logs into your app. Upon logging out
from either app, the user is logged out of Facebook.
When we log out of our application, Facebook is staying logged in, which is NOT the desired behaviour.
Similar question was asked previously on Technet.
Is there a way to make this happen, or is this feature on the B2C roadmap?
Azure AD B2C does not support signing you out from the external identity provider, be it Facebook, Google or a custom OIDC/SAML/WS-Fed identity provider. It only signs you out from Azure AD B2C.
Currently, Azure AD B2C does not disambiguate whether you were already signed-in to the external identity provider or signed in to it as part of signing in to Azure AD B2C, so it can only either always keep you signed in or always sign you out. The latter option is rather invasive, thus Azure AD B2C opts for keeping you signed in, which is in line with Facebook's #1 guideline.
You can request support for this more advanced detection and sign out logic via the Azure AD B2C feedback forum.
Note: This question is similar to: Azure AD B2C OpenID Connect single logout with WS-Federation and SAML claims provider
I'm comparing the new AD B2C features with the social authentication ability in Azure web service. Using the AD B2C approach I can't seem to find a way to do access the underlying access token from a social provider like facebook.
E.g. in Azure Web Services social authentication there was an http://example.com/.auth/me endpoint that would provide BACK the token to access the social provider's api.
Is that not available in B2C? If not that seems like a step backwards.
From what I can see, the answer is no (although I wish there was a way).
See this:
https://blogs.msdn.microsoft.com/appserviceteam/2016/06/22/app-service-auth-and-azure-ad-b2c/
OAuth Tokens: With Easy Auth, the application code has direct access to the provider-specific OAuth tokens. This is useful if you want to make graph API calls on behalf of the logged-in user (for example, calling the Facebook Graph to post a photo to the user’s timeline). B2C, however, does not expose the provider OAuth tokens to your application code.