I have an app that was developed using Angular 9 and we are using the login with Azure AD B2C.
The users that we have in the Azure AD B2C are Member(type).
We have a new requirement where we have to embed power apps in the web app (iframe tag - Canvas App), but we saw that always ask for sign in, but we want to re-use the token generated with the login to see the power app.
We created the power apps in the same directory as the Azure AD B2C and we shared it to everyone.
I tested the #microsoft/powerappsplayersdk sdk for angular but it's still not working, exists a getAccessToken function but neither works
Any ideas about what is missing? or what I have to do to avoid login again when I try to see a power app within my web application?
What token issuer does power apps is expecting? Microsoft B2C token is issued by *.b2clogin.com endpoint and not by microsoftonline.com endpoint. This typically means that token issued by B2C cannot be used as-is by O365 and other services that don't accept B2C as a issuer.
Related
I'm investigating Azure AD B2C as a possible auth service, which we want to use for user management and authentication. We have a web application, Web API which we can easily integrate with AAD B2C and migrate our current authentication and user management.
However, I did not find any solution how to authenticate mobile applications and integrate it with azuere ad b2c. Our mobile app communicates also with web api but it does not need any user login. These applications are tied to a tenant and every mobile app instance has an API key that is used to authenticate the mobile app on the backend.
Is it possible with azure ad b2c to achieve that kind of authentication, that we will generate API keys for our mobile apps and will use the same ad in azure like the normal users? Is possible with azure ad b2c or we should use another azure service?
What are the best practices in this area? It is similar to the backend to backend communication where API keys are used. Thx.
The normal way for such a scenario would be to use the client credentials flow, where you use your ClientID + ClientSecret for a silent login in order to get a non-personalized AccessToken.
Although it seems that this type of flow is currently not supported by AD B2C. Have a look here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/application-types#current-limitations
As an alternative, that page is refering to the client credentials flow of the Microsoft Identity Platform (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow).
I guess it now depends on the detailed requirements of your application whether it could be an option for you to use.
We use an Azure AD B2C Api. The user authentication via Angular Frontend works fine.
Now, we created a separate BackgroundService project (.net core 3.0) that needs to access the api, too. The service runs without a user authentication.
In a standard Azure AD Api I would authenticate the service by using ClientId and Secret.
How can I authenticate the service against the B2C Api without user authentication?
Client credential flow is not currently supported by Azure AD B2C. See Current limitations.
It seems that the article is not very clear and confuses some customers. But the author has provided more details in the answer.
How can I implement a native custom login (and register) screen that connects towards a Microsoft Azure AD B2C?
This is the setup:
I have a mobile application developed in Xcode/Swift that...
...needs to register and login (new) users agains an Azure Active Directory B2C (notice the B2C here, as there are also other AD solutions by Microsoft)
The solution that Microsoft offers can be found here: https://github.com/Azure-Samples/active-directory-b2c-ios-swift-native-msal. But this opens a safari window which is not the user experience I am looking for:
Instead I want to build a native login screen (UIViewController) with my own layout and design, but still want to use the Azure Active Directory B2C.
How could this be done?
For sign-in, you can implement a native page that integrates with a resource owner password credentials policy in the Azure AD B2C tenant, which will enable a user's credentials to be POSTed to the Azure AD B2C tenant for validation:
POST /tfp/yourtenant.onmicrosoft.com/B2C_1_ROPC_Auth/oauth2/v2.0/token HTTP/1.1
Host: yourtenant.b2clogin.com
Content-Type: application/x-www-form-urlencoded
grant_type=password&
username=leadiocl%40trashmail.ws&
password=Passxword1&
scope=openid+bef22d56-552f-4a5b-b90a-1988a7d634ce+offline_access
client_id=bef22d56-552f-4a5b-b90a-1988a7d634ce&
response_type=token+id_token
For sign-up, a client credential is required to request an access token for the Azure AD Graph API to create an Azure AD B2C user, so if you are wanting to implement a native page then you will have to consider also implementing a backend/proxy API that protects the client credential.
I'm trying to build a setup where my Xamarin forms app authenticates with Facebook, and when done gets a token from the Azure AD B2C to use when requesting data from my API.
So far I have native Facebook login up and running, meaning no web UI login, but uses the user's Facebook app and I get a the Facebook access token. This is the one I want to use when requesting a token from the Azure AD B2C
My issue now is how I should integrate this with Azure AD B2C. I want the API to be protected using Azure AD B2C and that part is enabled too, but I need the App to request a token before it can access my API. This is the part where I'm not sure if it is possible yet, with out letting the Azure AD popup with some UI.....
At this time, Azure AD B2C does not support acknowledging authentication that occurred outside of B2C.
You should request either support for the Facebook SDK and/or more broadly, supporting swapping tokens obtained outside of B2C for B2C tokens via the Azure AD B2C feedback forum
We have chosen Azure AD for authenticating users for the Enterprise Web applications developed using MVC and hosted on Azure Cloud Platform.
We are trying to plan & develop a common portal for the users to which they can login using Azure AD login screen. This Portal will display the links to the cloud applications to which the user has access and they could access the cloud application from this portal.
Please let me know whether this is feasible since I have read in many places that the Azure AD token assigned to the user from Azure AD is valid only for one resource or registered application. Does that mean that when they try to login into another Cloud application registered to the same Azure AD from the portal, they will need to login again or re-use the Azure AD token for the portal in the browser session cookie for logging into the other applications?
It's true that your users authenticate against an application registered in Azure AD and that the issued token is only valid for that application.
However, the user establishes a session with the authorization server (Azure AD) and will not be prompted for credentials when redirected there to authenticate against another registered application.
So your portal page can just contain links to the URLs for the applications. Each application redirects the user to Azure AD for authentication and the user is only prompted for credentials for the first application he/she logs in to.