I have an application that uses Azure B2C.
If the starting point for a user is my application, it's easy to add an external identity provider, such as Facebook or Google.
It would follow the standard OAuth flow of:
Go to my site
Click login
Get redirected to B2C
Click the Facebook button and log in
B2C returns authenticated user details to my site.
However, I now have the situation where my site is not the starting point.
The flow is:
User is logged in at 'Company A'
User clicks a button to go to my site
An authentication step occurs automatically
User is now authenticated on my site.
If I were in charge of Authentication (using ASP.NET Identity, for example), 'Company A' could call an API on my site with a single use code, I could send back the token. Then when the user was redirected, I could get that token back from 'Company A'.
However, not being in charge of the auth step, I'm having trouble.
I don't think we want to be using a SAML flow (different spec). The SSO Session Overview doesn't seem to be of much help. There might be something in custom policies that can do this, but I'm lost.
I think the doc I need might need is 'Pass an access token though a custom policy', but the fact they use Facebook in the example confuses me, as facebook wouldn't be calling Azure B2C, or Passing me anything about Facebook that I can use to send to B2C.
So, using Azure B2C, how can I get a user who is logged into another site to be logged in to my site automatically please?
Related
According to the documentation here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-profile-editing-policy?pivots=b2c-custom-policy. The profile edit flow will show the Sign-up or sign-in page, if there are no active session. If the session is active, then Azure AD B2C authorizes the user, and skips to the next step.
However, if I understand correctly, this 'session' would be in the form of a cookie right? If that's the case, what would happen with mobile apps?
Mobile app doesn't use cookies. After login in, they only have the id token, access token and refresher token. So if a user is logs in on an app, and then to do a profile edit flow, how would the app tell the browser that the user is already logged in?
If you are using the web view redirect flow, a cookie is set in the web view which then gives SSO for profile edit. You don’t need to configure anything in B2C to make it behave like this, it’s default.
I have a usecase to integrate “ADB2C” with a “Java application” for a user authentication, and we are using a Microsoft MSAL libraries in the integration .
And here is a scenario that I’m facing currently, once a user navigates to the java web application and hit “Login” button then user redirect to the B2C SignIn page and user is getting authenticated successfully and we are receiving an access token successfully.
But, after user loggedIn and try accessing an authenticated apps on the website, then it’s asking the user to login again which is unexpected.
Please suggest me on this scenario, whether the changes have to make in the code or B2C custom policy side to overcome this issue. I really appreciate your time in considering this.
We have an asp.net core application which uses a custom policy for Azure B2C local accounts and social accounts. Now we want to allow access for some pages of the application for users, which are not in B2C directory and we want to send these users a link in an email to give them temporarily access.
We followed the instructions for "magic links" in B2C: we can send a link in an email and we are sucessfully redirected by B2C to our application with an "id_token" in the query string.
What we don't understand: should we check the returned id token ourselves and start a session for the user ourselves, or can we use the asp.net authentication middleware so that the user is handled like an "authenticated" user and we can use claims to allow them limited access only? We cannot find an example application that uses the returned "id_token" to start an authenticated session.
If you are using an MSAL client-side library, it would do all this for you.
From the client side, it would be pretty much the same as authenticating.
I have created azure ad b2c custom sign-in policy with KMSI(keep me sign in) option, and using it in blazor server application,
But automatic sign in not working after browser close, Need to click 'Login' button.
After click login button no need to enter credential again, if at the time of previous sign-in KMSI check box checked.
But I want to sign-in automatically if at the time of sign in KMSI check box checked.
Could you check the authorization request the app sends to Azure AD B2C, whether it contains the prompt=login query string parameter? If yes, please make sure to remove this param.
This is expected, your app cookie is not persisted, so the app has no idea you’re still logged in at B2C. Therefore you have to click login in the app and then you get SSO through AAD B2C.
You could maintain a cookie set by the app to automatically send the user via the login endpoint if they had signed in previously with KMSI. You can use a claims resolver to send the KMSI claim into the token so your app can understand the user logged in with KMSI.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/claim-resolver-overview
I tested KMSI functionality on my side, and I can repro your symptom. My test is based on this demo: https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi
This is my test process below:
Registering a local account.
Login by this account, and enabled KMSI
I logged in successfully:
Close the browser, reopen it and got to my app index, my index page is allowed to be visited by anonymous, so it not knows who am I: I think this is the issue that you are concerned about:
But when I click “Claims” tag which users are needed to be authenticated, it redirected to my b2c domain :
As I enabled KMSI, so there is a cookie under my b2c domain:
As this cookie exists, B2C will provide me with the resource I requested for: b2c side sends a request to redirect URL with id token and code :
Finally, it redirected to “Claim” page and this app knows who am I :
In a word, there are two kinds of sessions here: a session between user and B2C and a session between the user and your application.
Once you close your browser, by default, you will lose the cookie that user on your application, so users access to some page with no auth needed of your app after reopening the browser, there will be no cookie, your application not know the user. But on the B2C side, this cookie will be persisted there due to KMSI. Only users request some functionality needs to be authenticated on your app, users will be redirected to the B2C domain and B2C will send users’ information to your app will make KMSI work.
In my opinion, maybe extending the lifetime of your application cookie will be a solution here. At the same time, you also need to expand session timeout to make sure that your application could recognize that long lifetime cookie. But as we know, it will be a high consumption for server RAM if it holds lots of sessions.
I have 3 websites using a single B2C tenant. I have been asked to set it up so that when a user signs out of one website, sign out of them all.
Likewise if their account is deleted.
I thought that I would have to introduce a call to Azure on every request to determine if the user is still logged in, but as far as I can see, there isn't a Graph API endpoint that would allow me to determine the user status.
Am I thinking about this the wrong way? Is there a way to do this easily using B2C, Graph API, the Active Directory client etc.?
Maybe there is an option when setting up the OpenIdConnectAuthenticationOptions for example.
According the description on Azure Document:
While directing the user to the end_session_endpoint will clear some of the user's single sign-on state with Azure AD B2C, it will not sign the user out of the user's social identity provider (IDP) session. If the user selects the same IDP during a subsequent sign-in, they will be reauthenticated, without entering their credentials. If a user wants to sign out of your B2C application, it does not necessarily mean they want to sign out of their Facebook account entirely. However, in the case of local accounts, the user's session will be ended properly.
So you can directly use the end_session_endpoint. You can find it in the metadata document for the b2c_1_sign_in policy endpoint, e.g.:
https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=b2c_1_sign_in
You can refer to Azure Active Directory B2C: Web sign-in with OpenID Connect for more info.
Any further concern, please feel free to let me know.
I might be late. But if that helps. A.c to docs
When you redirect the user to the Azure AD B2C sign-out endpoint (for both OAuth2 and SAML protocols), Azure AD B2C clears the user's session from the browser. However, the user might still be signed in to other applications that use Azure AD B2C for authentication. To enable those applications to sign the user out simultaneously, Azure AD B2C sends an HTTP GET request to the registered LogoutUrl of all the applications that the user is currently signed in to.
Applications must respond to this request by clearing any session that identifies the user and returning a 200 response. If you want to support single sign-out in your application, you must implement a LogoutUrl in your application's code.
This is called single sign out .
Please refer to https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-overview#single-sign-out
Microsoft has an API for this by now. I link to the following blog, as the documentation is currently wrong.
microsoft developer blog: revokeSignInSessions & invalidateAllRefreshTokens
Request
POST https://graph.microsoft.com/beta/users/{id}/revokeSignInSessions
Response
HTTP/1.1 204 No Content