I need help determining how to integrate the Azure B2C authentication with the authorization within my app. I got the susi (sign up sign in) user flow working, but I need to do two things. First, I need to validate the alias to ensure no other such alias already exists and I need to add the user to my sql server database to ensure they are available for authorization processes (eg: users can allow other users to view/edit their resources).
I saw this video, which seems to cover what I want to do, but I think I could use some explanation. This article also seems to come close, but it is returning keys from a database as opposed to inserting into a database. That seems like minor change.
It seems like I need to replace the susi user flow with a B2C Identity Experience Framework policy, but I still want the other steps to be completed. I think I should download the susi policy and edit it and upload it to the IEF, but I am not sure.
I previously was trying to capture the events in a web app in the Startup.cs file when configuring the service during the OnTicketReceived event, like this, but this didn't cover mobile apps, so I think the IEF solves for this by including the steps in the flow.
I just want to confirm this is the right way to accomplish what I am looking to accomplish and seeing if anybody has any step by step examples.
It seems like it would be a good tutorial to show starting with a working susi user flow and editing it to add integration with an Azure Function.
Using IEF by calling the REST API will be the right way to accomplish your requirement. During the signup process, execute a restful technical profile which will call an REST API service there you can validate the user existance in your local DB and create the user in the database and proceed the registration process in B2C tenant.
Another approach would be after signing up the user can be created by the service and for the first call, service can insert a claim for itself with new database user Id.
There is a sample showing how to implement RBAC in B2C using security groups. If the role model is very simple, you could also consider attaching them directly to the user object as custom claim.
Related
I'm struggling to figure out a way to hook into the authentication/authorization/token issuance process.
I want to be able to authenticate users, as well as prevent users that are banned from logging in.
I want things to work this way:
Upon providing their username + password, users get logged in if the credentials are valid
If the credentials are valid, we do an additional check as to whether the users are banned or not (by checking their username in a custom database)
If the user is banned, deny login
I want to know whether Azure AD or Azure AD B2C supports this ability to hook into its processes, and if so, where can I find more about it? documentation? sample code? etc...
Thanks,
This is easily attainable by using the Identity Trust Framework, also known as Custom Policies.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-trust-frameworks
You can then use a REST API Technical Profile and use conditions within your User Journey that will allow your flow to occur as you have indicated.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/restful-technical-profile
I would also encourage you to review these samples from the Community Github Repo:
Demonstrates using an AAD B2C Extension Property to store an attribute that is then conditionally handled. - https://github.com/azure-ad-b2c/samples/tree/master/policies/force-password-reset-first-logon
Demonstrates how you can use a REST API call during your User Journeys. https://github.com/azure-ad-b2c/samples/tree/master/policies/rest-api-idp
It is worth noting that there are some features coming for API Connectors within the more simplistic User Flows, but I am unable to speak on those.
After investigating what Azure AD B2C can do, I'm not sure if it can do everything we need it to do through custom policies / we would have to make some compromises. I was thinking of still using it purely for authentication actions against our users: sign in or sign up - local & social media accounts, reset password etc.
However, we also want to collect more details about the user that they either provide at sign up or at a later date, and I'm finding the ability to edit profiles quite lacking.
Therefore I was thinking instead to create a bespoke dot net core or framework application which will act as a 'preference centre' that the user goes through. We will have much greater customisation o this, as we will not be limited to what Microsoft allow through custom policies. The user would either be passed through this application after signing in and before reaching one of our applications, or they can get to it from a link on our applications. All the data that is stored for the user will still be held in the Users section in our Azure AD B2C. Then the application will use the Graph API to query and update the data for the user.
Is this a sensible approach? Or can you recommend something else?
I am not sure if the question is descriptive enough for what i am trying to accomplish so let me try to elaborate. Because even i am not sure how to properly set the question. So i will tell more about the big picture of what i am trying to do.
I am building an application that uses AWS Cognito for user authentication and authorization. But authorization part is in a way not directly done via Cognito (more about it a bit later)
In Cognito i added as a third part identity provider Azure AD via OIDC. I also have backend service that will hold user's roles in its own database. Now, for users that are going to be added to user pool via AD i need to replicate their groups in AD as a role in my service database. (So if i have a user in AD that is part of the group ADMIN I need to get that group and put it in my own db as a role for that specific user).
Now the idea is to use MS Graph for syncing groups with roles in my service. But the point is that then i would need credentials of the AD user that has the rights to see that info in AD. Which is not really what i am trying to accomplish.
My guess is that this can be done in all at once scenario (which would require the "GODs" user in AD credentials, which is not an option), or one by one (as they login to Cognito via AD as Idp).
So to sum it up, my question is can i integrate the call to MS Graph when user logs in with its ad (microsoft) credentials, that in a way i get the info about his group when he tries to log in to Cognito userpool?
I understand that this probably is very unclear, but i am not quite sure how to put it in a simple way.
If anyone can help me out, i would appreciate it.
Thanks
You don't need to integrate the call to MS Graph.
Just include Groups claim in your token as instructed here. You just need to modify the "groupMembershipClaims" field in application manifest:
"groupMembershipClaims": "SecurityGroup"
Then the token will contain the Ids of the groups that the use belongs to like below :
{
"groups": ["{group id}"]
}
I'm new to Azure ADB2C, and am confused by some of the terminology.
I am building a motorcycle ride monitoring website that I would like users to be able to log in to by verifying a social media identity (Google & Microsoft Account, for now).
But I only want users who are members of the site to be able to use certain features. For example, I'd like everyone who authenticates to be able to apply for membership, read about the benefits of membership, etc., but I only want members to be able to initiate ride monitoring.
Is the recommended approach here to only authorize (rather than authenticate, if I'm understanding the terminology correctly) certain authenticated users (i.e., members) to use the ride monitoring services?
If so, what's the best way to authorize a member? Look up their email (which I require to be returned from the authentication process) in a standalone database and proceed accordingly? If I go that way, what's the simplest way of adding their membership status to their credential, so I can access it throughout the site?
Apologies for not providing code here. I've got a bit of it hanging around :) but this is more of a design question than a coding one.
Azure AD B2C is primarily Authentication as a Service. There are ways in which it can be used for what you are trying to achieve here.
You can use custom (extension) attributes in AADB2C (https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-custom-attr) in combination with AAD Graph apis (https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet). So when user authenticates and applies for membership, you can call AAD graph api to set the custom attribute on user object. You can get the extension attribute in a the token after the authentication happens. This token will give you membership of the user.
You can also use AAD Groups instead of custom attributes. In the tenant, create membership groups. Once user authenticates, call AADGraph to set/get user's membership of a group and that will give the authorization information.
You can also do what you described, maintaining the info in a database store of your application. But the first two functionalities provide in-built functionalities for user management.
We have a multi-tenant single page app (and backend) that uses Azure AD for authenticating users. We'd like do queries to customer's Azure AD for retrieving groups but make it an opt-in behavior for customers (tenants). The reasoning behind that is that not all customers necessary need the functionality and would rather not grant us access to their AAD unnecessarily.
Is there some way of implementing this with Azure AD?
I've been trying to test with different OAuth /authorize calls with resource IDs and scopes but mostly I end up with "AADSTS65001: The user or administrator has not consented to use the application with ID ''. Send an interactive authorization request for this user and resource." error. Configuring the web app or backend to require the permission would surely fix the error but that will also make the approval of it mandatory for all users of the app.
Is there a way of using the authorize/consent API to request access to a new application on-demand?
An ugly work-around that should work would be to have 2 client IDs and 2 backend IDs with different permissions but ADAL.js doesn't seem to be designed to work with multiple Client IDs (it's singleton, for starters). Also Application Permissions should of course work but I'm not sure how much of those are required to search for groups.
Is there a way of using the authorize/consent API to request access to
a new application on-demand?
Do take a look at Azure AD v2.0. With their incremental & dynamic consent model, it is possible to do so though I am not sure if this specific functionality (managing groups) is available there.
I had a discussion with Azure AD team member recently about this (as we are also facing the same problem) and he suggested that we take a look at this.
Essentially the way things work in Azure AD v2.0 is that you start with basic set of permissions (like sign in, read profile etc.). Then when some tenant need specific permission, you essentially ask them to grant those permissions to your application at that time only. What this means is that different users in your application have granted different permissions to your application.
If you are using MSAL, and looking for a way to dynamically change your scopes before authenticating, have a look at this: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular/docs/v2-docs/configuration.md#msalguard---dynamic-auth-request
More here: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular/docs/v2-docs/configuration.md#platformbrowserdynamic