So, I am trying to utilize Graph API with Azure AD B2C. My understanding is that it's not possible to use the client_credentials flow when requesting access tokens. When I try to utilize an access token with client_credentials to get /beta/policies/b2cAuthenticationMethods I receive this error:
{
"error": {
"code": "AADB2C",
"message": "User Authorization: Access is denied.",
"innerError": {
"correlationId": "4c00031f-febc-4c1a-9728-701f0c1fda00",
"date": "2021-01-19T18:51:42",
"request-id": "77a30adb-5103-40ec-84f3-0626800e976a",
"client-request-id": "77a30adb-5103-40ec-84f3-0626800e976a"
}
}
}
Which is expected since I used the client_credentials flow.
But, the documentation states the following:
Although the OAuth 2.0 client credentials grant flow is not currently
directly supported by the Azure AD B2C authentication service, you can
set up client credential flow using Azure AD and the Microsoft
identity platform /token endpoint for an application in your Azure AD
B2C tenant. An Azure AD B2C tenant shares some functionality with
Azure AD enterprise tenants.
I have gone through the process linked above. However, I am running into one issue and now have questions about this "automated" process:
Question: How do I complete this automated process for requesting and utilizing access tokens with a registered app in B2C if I cannot use the client_credentials flow?
I cannot have any user interaction when this application requests an access token.
Do I have to use a different flow? If so, how do I do it so that things like MFA aren't an issue? I am not using any SDKs, I am just directly querying MGraph using an HttpClient in my application with the Authorization Bearer header passed.
Issue
Why am I not able to complete this part of the above linked documentation.
I am logged in as a global admin for my B2C tenant. I navigate to the Roles and Administrators section
Then, in the Add Assignments popup that appears on the left I start typing the name of my app
and it does not appear! But it is registered, and I can see it in my list of registered applications:
What is the deal here?
I have found many other questions similar, and all have led me to the referenced documentation page. But, I still am not quite understanding the correct procedure to automatically get an access token for a registered app in B2C tenants.
Thanks so much.
Edit
See my answer for both solutions to the problems I had in this post.
Okay, so I managed to find the answer to my issue here.
Just out of curiosity, I made that ServicePrincipal for my application a Global admin. I used the client_crededentials flow again to the beta/policies/b2cAuthenticationMethodsPolicy and STILL received that above error about User Authorization: Access is dened. What the heck? I'm starting to wonder if it's that specific endpoint that's the issue, and not the flow itself. Especially because I can get /beta/users just fine when using the access token from client_credentials flow for my B2C tenant.
Alright, I have found my answers.
To my issue:
I found the answer on this thread https://learn.microsoft.com/en-us/answers/questions/229991/azure-ad-b2c-application-won39t-show-up-as-an-opti.html.
To my question:
I opened an issue on the MSFT Docs GitHub page, and someone was able to answer my question there.
Related
I have SPA made by react.
And user authentication is done with Azure AD B2C.
Right now, we are trying to figure out a mechanism to get an access token to access the backend after a user logs in.
The backend is Azure functions.
I think it is set up through "Application Registration" in Azure AD B2C, but I don't know the details.
I see that there is an azure functions URL
http://[yourapp].azurewebsites.net/api/[funcname]?code=[functionkey]
but where should I set it?
Please tell me...
No, functionkey is an authorization at the function level, it has no relationship with Azure AD B2C. You need to add some code to send the received bearer token against Azure AD to validate it.
There's a full sample about how to do it in here: https://medium.com/cheranga/azure-functions-validate-azure-active-directory-tokens-using-your-own-custom-binding-4b4ff648d8ac
I have an app registration on Azure that is being used to authenticate requests using the ROPC flow, so that we can mimick a real user access token and test our APIs. This is working, but to make this more secure we would like to be able to say a secret is required in the request.
This is not default for ROPC as it wasn't intended to be used with secrets (note - we cannot use client credentials for this part of testing we are doing).
The app registration is used along with a B2C user flow setup along side it. I don't believe this to be too relevant for this issue, but I could be wrong.
Currently the working call is as follows -
On azure to allow the ROPC flow you need to set the application to allow public flows.
I believe this setting stops any form of client secret or certificate being required in the request.
The microsoft docs seem to suggest it is possible to add a secret to ROPC calls and make them required but i can't figure out a way of doing it while having the above "public" azure setting set to true. With that off you get an error saying that the resource owner flow is not allowed due to it being private.
This is part of the Microsoft docs - https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc which seems to suggest you might be able to make the app private, I just can't see how while allowing the flow.
This link you mentioned is about Azure AD, but not Azure AD B2C. So there are two methods to get the access tokens with different formats. In addition, it's more secure for you to use authorization code flow in Azure Active Directory B2C.
One is following AAD Docs with your AAD B2C directory, see the explanation. Note: scope doesn't support application-id, it's related to the permissions in API Permissions.
POST https://login.microsoftonline.com/{b2c-tenant-name}.onmicrosoft.com/oauth2/v2.0/token
client_id={b2c-application-id}
&scope=openid offline_access
&username={username}
&password={password}
&grant_type=password
&client_secret={client_secret, if your app is not a public client}
[Recommend] Another is testing ROPC flow in Azure AD B2C. client_secret is not in the parameters, so it is not required whether it is public or not.
https://{b2c-tenant-name}.b2clogin.com/{b2c-tenant-name}.onmicrosoft.com/{B2C_1_ROPC_Auth, name of ROPC flow}/oauth2/v2.0/token
username={username}
&password={password}
&grant_type=password
&scope=openid offline_access {b2c-application-id}
&client_id={b2c-application-id}
&response_type=token id_token
We created an application in Azure B2C to use the OIDC implicit Grant flow. We have configured the Userflow policy(SignIn and SignUp) to customize the homepage layout and to get the custom claims in response. We are using Azure B2C as External Identity Provider (IdP) in our application. When user clicks the Login Button in our application we are redirecting the user the Azure B2C for Authentication and we are able to get the Access Token in response. But we are facing constrain in Getting the User Profile through the UserInfo enpoint. We have tried out both the Graph API endpoint and Azure B2C OIDC userinfo enpoint but neither of them are compatible with the Userflow policy.
I believe the workaround suggested is applicable only if we need to grab some extra input from user (during sign-up) or input validation and then pass that claim to application. It will unnecessary require using "Identity Experience Framework" feature which is ideally required for custom login/signup journey and is not available under free license.
What I understand from you requirement is you need to pass built-in Azure AD attributes to application and which shall be doable by selecting extra claims from "User Flow" signup-SignIn policy. Is not there any alternative to make call to "userinfo" endpoint out of box ?? Any Microsoft expert here, please clarify.
As of now, Azure AD B2C does not support the UserInfo endpoint through User-flow policy.
Right now, it is being supported only through Custom Policies.
You can vote for this feature on Azure AD User Voice.
A workaround is that you could integrate a Rest API to retrieve the extra claims.
See reference here.
I have a 2 application using a single AD B2C tenant. I want to logout the user from both websites when the user signs out to either one of them. I'm using email for local accounts.
In AAD, there is a LogoutUrl registered on each application which receives a GET request to users currently signed in to. Source
I wonder if there is workaround for AD B2C like in AAD.
PS: I am using this repo as reference.
Azure AD B2C doesn't support Single Log Out and we weren't able to find a workaround.
I've understood that in B2C scenarios Microsoft has assumed that IdPs are "social-media" type and considered it is not of end-users interest to be logged out of Facebook when they log out of some service to which they've authenticated via Twitter. Makes sense in that scenario.
However, in government-provided IdP scenarios it is usually a hard requirement to be able to support SLO.
We considered it to be more of a limitation by-design in B2C than technical, so we moved to using another authentication service provider that supports SLO. Apparently a wise choice as I haven't at least heard anything regarding SLO and Azure B2C as of today.
According to the documentation that is possible:
When you redirect the user to the Azure AD B2C sign-out endpoint (for
both OAuth2 and SAML protocols), Azure AD B2C clears the user's
session from the browser. However, the user might still be signed in
to other applications that use Azure AD B2C for authentication. To
enable those applications to sign the user out simultaneously, Azure
AD B2C sends an HTTP GET request to the registered LogoutUrl of all
the applications that the user is currently signed in to.
Applications must respond to this request by clearing any session that
identifies the user and returning a 200 response. If you want to
support single sign-out in your application, you must implement a
LogoutUrl in your application's code.
The suggested answer was from 3 years ago.
Please have a read here.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#single-sign-out
Apparently, B2C does support single sign out, but I could not get it to work despite following the steps and I'm looking for answers on SO.
I have an application that authenticates users agains Azure AD using OAuth and I want to provide the ability to setup certain information associated to each user by his admin in Azure AD, so I can read it as part of the authentication process. I would also like to be able to use the claims functionality provided by Azure ActiveDirectory so the admin can define custom mappings between user attributes in his AD and what I am going to read, as explained here.
Apparently those claims can only be read from a SAML token that would be the result of a SAML authentication, but since I am already authenticating using OAuth I would like to avoid having to do that. My question therefore is: can those SAML tokens or the information contained in them be obtained somehow either as part of the OAuth authentication process or afterwards?
When you say "provided by ActiveDirectory" you mean Azure AD not on-premises AD?
There is no way currently to add claims to the token in Azure AD. They are "canned".
That link you refer to is for SaaS application in Azure.
The way to get information out of Azure AD is via the Graph API.