does the azure App Service Authentication module suport azure aad b2c? - azure

I have a UWP app that needs a backend. I want to use azure app service and need set an authentication for the background.
The App Service Authentication module can easily set and Authentication for the app.
I wish to use AAD B2C, but the App Service authentication module say that it does not support aad 2.0/msal. So, does the App Service Authentication module can support AAD B2C?
And, how can I verify the AAD B2C token signature on the webservice? Microsoft doc said can use some library to verify the AAD B2C token signature, can msal be used to Verify the AAD B2C token signature on a asp.net core web service?

does the App Service Authentication module can support AAD B2C?
Yes, App Service easy auth supports AAD B2C, you can configure it under Advanced management mode.
Set the Client ID to be the Application Client ID from Azure AD B2C tenant.
Set the Issue URL to be the Metadata Endpoint for the policy.
https://tonyb2ctest.b2clogin.com/tonyb2ctest.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_testsignupin
Note: don't forget to set the reply url in azure ad tenant application https://XXX.azurewebsites.net/.auth/login/aad/callback
how can I verify the AAD B2C token signature on the webservice?
Many open-source libraries are available for validating JWTs, it doesn't matter with Azure App service.

Related

Azure AD B2C authenticate with API key

I'm investigating Azure AD B2C as a possible auth service, which we want to use for user management and authentication. We have a web application, Web API which we can easily integrate with AAD B2C and migrate our current authentication and user management.
However, I did not find any solution how to authenticate mobile applications and integrate it with azuere ad b2c. Our mobile app communicates also with web api but it does not need any user login. These applications are tied to a tenant and every mobile app instance has an API key that is used to authenticate the mobile app on the backend.
Is it possible with azure ad b2c to achieve that kind of authentication, that we will generate API keys for our mobile apps and will use the same ad in azure like the normal users? Is possible with azure ad b2c or we should use another azure service?
What are the best practices in this area? It is similar to the backend to backend communication where API keys are used. Thx.
The normal way for such a scenario would be to use the client credentials flow, where you use your ClientID + ClientSecret for a silent login in order to get a non-personalized AccessToken.
Although it seems that this type of flow is currently not supported by AD B2C. Have a look here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/application-types#current-limitations
As an alternative, that page is refering to the client credentials flow of the Microsoft Identity Platform (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow).
I guess it now depends on the detailed requirements of your application whether it could be an option for you to use.

Azure Web API authorize token generated by Azure AD and Azure AD B2C

I have react native app which uses Azure AD B2C (as it is available outside our organization) and a backend admin SPA with Azure AD as it is only for our employees.
I have a node backend with provides api for both the app, now how to validate the tokens generated by AD B2C app and AD app.
One solution is to use Azure AD as external identity provider in Azure AD B2C and use Azure AD B2C app for the both RN external facing app and backend admin SPA, this will work, the issue being here is we will have employee information on both AD & AD B2C.
What is the right way of doing these kind of integration. Any help is greatly appreciated. Thanks
Handle it in the back-end side / API side. So essentially, in the API side, you have two or more ways of authenticating a user.
In the case of AD and AD B2C, it'll be like setting up two JWT auth providers.

Request a JWT from azure B2C application in ASP.NET Core

I have two APIs.
Admin API (.NET Core API)
Healthcare API (Azure function API)
I need to call an endpoint in Healthcare API, and it should be called from admin API. I know the best way is to use gRPC but no time for that now.
Healthcare API is authorized with an azure b2c application. And the admin API is authorized with another azure b2c application. So from Admin API, I can't call the Healthcare API because of this authorization. (Can't use allow anonymous because it's an azure function API)
One solution that came to my mind is to get a jwt token in Admin API, from the b2c application that used to authorize healthcare API. But o idea of how to do this.
Is the above solution is good? And is it doable? Are there any ways of doing this without moving into gRPC?
Thanks in advance.
If these 2 B2C apps belong to the same B2C tenant, and you just want to make admin API to call Healthcare API, maybe you can just use OAuth 2.0 client credentials grant flow.
Although the OAuth 2.0 client credentials grant flow is not currently directly supported by the Azure AD B2C authentication service, you can set up client credential flow using Azure AD and the Microsoft identity platform /token endpoint for an application in your Azure AD B2C tenant. An Azure AD B2C tenant shares some functionality with Azure AD enterprise tenants.
just as below:

Cross Azure AD resources

If there are 2 companies with different domains, one is companyA and the other is companyB, they both have an Azure AD, Azure AD B2C and backend mobile application (backendA and backendB).
There are existing front-end mobile App mobileA which can access backendA after Azure AD B2C authentication of companyA and mobileB access backendB after Azure AD B2C authentication of companyB.
For my case, I want mobileA call the api of backendB after authentication of Azure AD B2C of companyA. But after getting the token from companyA, how backendB check the token is valid?
Thanks!
lihoma
You can register backendB in companyA's tenant as an app.
The mobileA app can acquire a token for backendB from its own tenant.
Then backendB will need to add support for companyA's tokens in addition to supporting companyB's tokens.

Azure B2C Authentication without user

We use an Azure AD B2C Api. The user authentication via Angular Frontend works fine.
Now, we created a separate BackgroundService project (.net core 3.0) that needs to access the api, too. The service runs without a user authentication.
In a standard Azure AD Api I would authenticate the service by using ClientId and Secret.
How can I authenticate the service against the B2C Api without user authentication?
Client credential flow is not currently supported by Azure AD B2C. See Current limitations.
It seems that the article is not very clear and confuses some customers. But the author has provided more details in the answer.

Resources