How to custom Azure AD B2C UserFlow as per need of customer? - azure

We are facing an issue while implementation Authentication using Azure AD B2C Instance.
Our Requirement:
SignUp:
For the Signup process, we have to call external API to check some status in that API, if iAPI returns true then create a user in Azure AD B2C, or else return with some error on it.
Assume if a user is created successfully in Azure AD B2C (with in the same Userflow), and now we want to store some custom fields that we have configured in Azure AD B2C, those custom fields need to be also stored in our own database, and not in default database provided for Azure AD B2C.
SignIn:
For Sign in process, we have to call external API to check some status in that API, if API returns true then continue with the Authentication flow or else return it with some error details.
Please help me with this.
Solution Approach:
Approach 1: User inbuild provided UserFlow in Azure AD B2C (SignUpSignIn, SignUp, SignIn, PasswordReset, Profile)
Problem Facing for Approach 1:
During the authentication process, we want to include our own customized page for MFA after the signup or sign-in page.
We are not able to call external API after the user successfully created or login with the existing Userflow.

This is pretty "easily" achievable using the Custom (Trust Framework) Policies.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-trust-frameworks
There's also a nice example of using a REST API within
https://github.com/azure-ad-b2c/samples/tree/master/policies/rest-api-idp
Note: The example here is using the REST call for authentication purposes, but should outline how you use a REST Technical Profile to achieve the flow you are looking for.

Related

Does Azure B2C provide REST API for login?

I have one application integrated with Azure B2C directory. Our problem is, login page is redirecting to Azure B2C portal (Own custom page) for authenticate or Authorize users and then revert back to the original website.
I need to open popup with my own website login design and at the backend, I am able to call Azure B2C REST api to validate users.
How I can create REST API for Login in Azure B2C portal?
Let me know if you have any information about the same.
As juunas said in the comment, you could use resource owner password credentials(ROPC) flow to validate users at the backend. You could call the API with the POST request at the end. Note: ROPC supports local accounts only.
Try to create resource owner user flow first.
You need to replace the username and password with the user's to be verified.
POST https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/B2C_1A_<ROPC_Auth name of the flow>/oauth2/v2.0/token
username=<username>
&password=<password>
&grant_type=password
&scope=openid <application-id> offline_access
&client_id=<application-id>
&response_type=token+id_token

How to use device code flow with Azure B2C

I would like to set up authorization in a dotnet web api project using Azure B2C with device code flow.
I have successfully set up this sample https://github.com/Azure-Samples/active-directory-b2c-dotnetcore-webapi with my Azure B2C tenant and my custom signin policy. I can obtain an access token using Postman if I select the OAuth 2.0 authorization type.
Now I would like to use Postman to obtain an access token and call my API using device code flow. The problem is I can't find any documentation or sample on how to do this. The docs show how to do this using a regular Azure tenant, not a B2C tenant having a custom singin policy.
I can obtain a device code using Postman and go to https://microsoft.com/devicelogin and use that code, but I can't log in using the users I set up in my B2C tenant. Also, I can't find any way to make it use my own custom signin policy defined in my B2C tenant.
Is there any way to use device code flow with an Azure B2C tenant?
Based on the documentation https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oidc it is not supported.
Only authorization code/hybrid/implicit flows are supported.

Azure B2C Userflow v2.0(SignUp and SignIn) - unable to find Userinfo endpoint

We created an application in Azure B2C to use the OIDC implicit Grant flow. We have configured the Userflow policy(SignIn and SignUp) to customize the homepage layout and to get the custom claims in response. We are using Azure B2C as External Identity Provider (IdP) in our application. When user clicks the Login Button in our application we are redirecting the user the Azure B2C for Authentication and we are able to get the Access Token in response. But we are facing constrain in Getting the User Profile through the UserInfo enpoint. We have tried out both the Graph API endpoint and Azure B2C OIDC userinfo enpoint but neither of them are compatible with the Userflow policy.
I believe the workaround suggested is applicable only if we need to grab some extra input from user (during sign-up) or input validation and then pass that claim to application. It will unnecessary require using "Identity Experience Framework" feature which is ideally required for custom login/signup journey and is not available under free license.
What I understand from you requirement is you need to pass built-in Azure AD attributes to application and which shall be doable by selecting extra claims from "User Flow" signup-SignIn policy. Is not there any alternative to make call to "userinfo" endpoint out of box ?? Any Microsoft expert here, please clarify.
As of now, Azure AD B2C does not support the UserInfo endpoint through User-flow policy.
Right now, it is being supported only through Custom Policies.
You can vote for this feature on Azure AD User Voice.
A workaround is that you could integrate a Rest API to retrieve the extra claims.
See reference here.

Azure AD B2C : User credential validation against custom user store

Can Azure AD B2C pass the "UserName/Email and Password" entered by end user to a third party trusted application for credentials validation and get the claims for the user on successful credentials validation by the App?
This scenario arises because, some of my users are in Azure AD B2C and some of the users are maintained in the custom user store and can't be moved to Azure AD B2C due to business reasons. Yet i want to provide same sign-in experience for both users.
The Wingtip sample contains an example of this integration.
See the "ClassicAccount" claims provider for reference.
This claims provider, which is implemented by a REST API, is integrated in to the sign-in user journey to sign users in using logins that are external to the Azure AD B2C directory.
Code for the REST API can be found in the same repository.

Authenticate a user on Azure AD B2C using Graph API

I have created a WebApi app which can create a user on Azure AD B2C tenant using Graph API.
Now the user has to authenticate on Azure AD B2C as the same way I have used like Graph API. I mean a programmatic approach to sign in instead of Microsoft login page. Is it possible to authenticate against Azure AD B2C using Graph API? If yes can you please suggest me the way to do it.
It is not possible to authenticate an user in azure AD using graph API. Graph API provides methods to various AD related operations on the users, signed on user, groups, directory roles, policies and so on. https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/users-operations
You can programmatically authenticate users against Azure AD using a certain call but MS refuses to officially support the method in libraries, despite it existing for over 4 years.
For node, the denied pull request is here: https://github.com/AzureAD/azure-activedirectory-library-for-nodejs/pull/99?_pjax=%23js-repo-pjax-container
The code repo referenced in the pull is here: https://github.com/testdouble/azure-activedirectory-library-for-nodejs/tree/client_secret_optional

Resources