I would like to set up authorization in a dotnet web api project using Azure B2C with device code flow.
I have successfully set up this sample https://github.com/Azure-Samples/active-directory-b2c-dotnetcore-webapi with my Azure B2C tenant and my custom signin policy. I can obtain an access token using Postman if I select the OAuth 2.0 authorization type.
Now I would like to use Postman to obtain an access token and call my API using device code flow. The problem is I can't find any documentation or sample on how to do this. The docs show how to do this using a regular Azure tenant, not a B2C tenant having a custom singin policy.
I can obtain a device code using Postman and go to https://microsoft.com/devicelogin and use that code, but I can't log in using the users I set up in my B2C tenant. Also, I can't find any way to make it use my own custom signin policy defined in my B2C tenant.
Is there any way to use device code flow with an Azure B2C tenant?
Based on the documentation https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oidc it is not supported.
Only authorization code/hybrid/implicit flows are supported.
Related
I have SPA made by react.
And user authentication is done with Azure AD B2C.
Right now, we are trying to figure out a mechanism to get an access token to access the backend after a user logs in.
The backend is Azure functions.
I think it is set up through "Application Registration" in Azure AD B2C, but I don't know the details.
I see that there is an azure functions URL
http://[yourapp].azurewebsites.net/api/[funcname]?code=[functionkey]
but where should I set it?
Please tell me...
No, functionkey is an authorization at the function level, it has no relationship with Azure AD B2C. You need to add some code to send the received bearer token against Azure AD to validate it.
There's a full sample about how to do it in here: https://medium.com/cheranga/azure-functions-validate-azure-active-directory-tokens-using-your-own-custom-binding-4b4ff648d8ac
We are facing an issue while implementation Authentication using Azure AD B2C Instance.
Our Requirement:
SignUp:
For the Signup process, we have to call external API to check some status in that API, if iAPI returns true then create a user in Azure AD B2C, or else return with some error on it.
Assume if a user is created successfully in Azure AD B2C (with in the same Userflow), and now we want to store some custom fields that we have configured in Azure AD B2C, those custom fields need to be also stored in our own database, and not in default database provided for Azure AD B2C.
SignIn:
For Sign in process, we have to call external API to check some status in that API, if API returns true then continue with the Authentication flow or else return it with some error details.
Please help me with this.
Solution Approach:
Approach 1: User inbuild provided UserFlow in Azure AD B2C (SignUpSignIn, SignUp, SignIn, PasswordReset, Profile)
Problem Facing for Approach 1:
During the authentication process, we want to include our own customized page for MFA after the signup or sign-in page.
We are not able to call external API after the user successfully created or login with the existing Userflow.
This is pretty "easily" achievable using the Custom (Trust Framework) Policies.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-trust-frameworks
There's also a nice example of using a REST API within
https://github.com/azure-ad-b2c/samples/tree/master/policies/rest-api-idp
Note: The example here is using the REST call for authentication purposes, but should outline how you use a REST Technical Profile to achieve the flow you are looking for.
We created an application in Azure B2C to use the OIDC implicit Grant flow. We have configured the Userflow policy(SignIn and SignUp) to customize the homepage layout and to get the custom claims in response. We are using Azure B2C as External Identity Provider (IdP) in our application. When user clicks the Login Button in our application we are redirecting the user the Azure B2C for Authentication and we are able to get the Access Token in response. But we are facing constrain in Getting the User Profile through the UserInfo enpoint. We have tried out both the Graph API endpoint and Azure B2C OIDC userinfo enpoint but neither of them are compatible with the Userflow policy.
I believe the workaround suggested is applicable only if we need to grab some extra input from user (during sign-up) or input validation and then pass that claim to application. It will unnecessary require using "Identity Experience Framework" feature which is ideally required for custom login/signup journey and is not available under free license.
What I understand from you requirement is you need to pass built-in Azure AD attributes to application and which shall be doable by selecting extra claims from "User Flow" signup-SignIn policy. Is not there any alternative to make call to "userinfo" endpoint out of box ?? Any Microsoft expert here, please clarify.
As of now, Azure AD B2C does not support the UserInfo endpoint through User-flow policy.
Right now, it is being supported only through Custom Policies.
You can vote for this feature on Azure AD User Voice.
A workaround is that you could integrate a Rest API to retrieve the extra claims.
See reference here.
I am very new to Azure B2C and trying to explore the options available to manage the identities in B2C. I have registered web application and also created required custom policy in B2C tenant. When I am trying to run the workflow from Azure B2C portal, I am able to redirect to registered application with IdToken and also able to view the ID token information in https://jwt.io
Below are some of the question which requires clarification
Suppose I have hyperlink in my web application(Asp.Net web form) which redirects the user into Azure B2C. On successful signin in Azure B2C, how to validate ,process ID Token and fetch the user information in web application. I have seen code samples related to button click event.
How to refresh the token in the above case.
The easiest way is to use the MSAL library on the client side.
This does all this for you.
You get back an id_token and an access token.
Only an access token can be refreshed.
I successfully implemented Azure Active Directory for user management/authentication/login in a web app, following this example:
Azure Sample AAD with Flask
I decided to try Azure Active Directory B2C because of its integration for the various social apps. However, I could not get the flask app to work using OAuth 2.0, since Azure AD B2C does not seem to be compatible with OAuth 2.0. I found some documentation that states Azure AD B2C requires Open ID Connect.
Could you please confirm whether Azure Active Directory B2C requires Open ID Connect, or whether it works with OAuth 2.0 as well?
Thanks
It is worth to not that Azure Active Directory B2C (AAD B2C) supports both OpenID Connect and OAuth 2.0 in that it uses these two protocols to exchange information and secure tokens. However, AAD B2C "extends" these protocols by introducing Policies to handle the user experience for Sign-up, Sign-in and general account management.
What does this mean? First of, it means that you cannot create your own sign-up/sign-in experience, you are restricted to redirecting the user to the right policy (which you to some extent can customize). You cannot create your own sign-up/-in UI for this and you are restricted to styling/branding the provided web-based UI for this.
So in order to Authenticate using AAD B2C you could follow this guide, it should be easy enough to adapt to Python. You simply redirect the user to the /authorize endpoint of the AAD B2C and then validate the JWT you receive
Azure AD B2C supports both OpenID Connect and OAuth 2.0 as noted in the official reference protocols documentation.
To be able to sign-in users with Azure AD B2C using OAuth 2.0 and Flask, you'll need to adapt the sample to follow the OAuth 2.0 approach used in this sample: An Android application with Azure AD B2C using OAuth. Key things you'll need to adapt:
You'll need to specify the B2C authorization and token endpoints: https://login.microsoftonline.com/tfp/TENANT_NAME/POLICY_NAME/oauth2/v2.0/authorize. Example from Android sample
You'll need to add your application/client ID as a scope. Example from Android sample
You won't be able to call the Graph's /me endpoint for token validation and to get user details. You'll need to validate the token and extract the claims from it yourself (ideally through a good JWT open source library since this isn't trivial, unfortunately I don't know any that I can recommend at this time).
EDIT
I've created a python sample for Azure AD B2C and used python-jose for token validation and claim retrieval. Check it out.
Based on the documentation here, Azure AD B2C supports both OpenID Connect and OAuth 2.0 protocols.
Azure Active Directory (Azure AD) B2C provides identity as a service
for your apps by supporting two industry standard protocols: OpenID
Connect and OAuth 2.0. The service is standards-compliant, but any two
implementations of these protocols can have subtle differences.