We use an Azure AD B2C Api. The user authentication via Angular Frontend works fine.
Now, we created a separate BackgroundService project (.net core 3.0) that needs to access the api, too. The service runs without a user authentication.
In a standard Azure AD Api I would authenticate the service by using ClientId and Secret.
How can I authenticate the service against the B2C Api without user authentication?
Client credential flow is not currently supported by Azure AD B2C. See Current limitations.
It seems that the article is not very clear and confuses some customers. But the author has provided more details in the answer.
Related
I'm investigating Azure AD B2C as a possible auth service, which we want to use for user management and authentication. We have a web application, Web API which we can easily integrate with AAD B2C and migrate our current authentication and user management.
However, I did not find any solution how to authenticate mobile applications and integrate it with azuere ad b2c. Our mobile app communicates also with web api but it does not need any user login. These applications are tied to a tenant and every mobile app instance has an API key that is used to authenticate the mobile app on the backend.
Is it possible with azure ad b2c to achieve that kind of authentication, that we will generate API keys for our mobile apps and will use the same ad in azure like the normal users? Is possible with azure ad b2c or we should use another azure service?
What are the best practices in this area? It is similar to the backend to backend communication where API keys are used. Thx.
The normal way for such a scenario would be to use the client credentials flow, where you use your ClientID + ClientSecret for a silent login in order to get a non-personalized AccessToken.
Although it seems that this type of flow is currently not supported by AD B2C. Have a look here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/application-types#current-limitations
As an alternative, that page is refering to the client credentials flow of the Microsoft Identity Platform (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow).
I guess it now depends on the detailed requirements of your application whether it could be an option for you to use.
I want to Authenticate user using Azure AD.
I had application registration in Azure AD and everything is set up ,I am using Authentication link from Azure Portal Web app settings section.
According to Microsoft dcoumentation MSAL library is recommended
when to use MSAL library and when to use Azure Portal Authentication
Azure Portal => Settings=> Authentication.
Authentication link from Web App Azure Portal is Easy Auth.
It does not conflict with whether you use MSAL.
You can take a look at Why use the built-in authentication?.
An important reason is:
The built-in authentication feature for App Service and Azure
Functions can save you time and effort by providing out-of-the-box
authentication with federated identity providers, allowing you to
focus on the rest of your application.
When you enable Easy Auth, Azure will create an app registration which represents your web app. Any attempts to access your web app will require sign-in with your Azure AD account.
You can also use the app registration Azure created for you (or create your own app registration without enabling Easy Auth) to configure with MSAL. MSAL is a mature framework and you can find the following benefits here.
Easy Auth uses Implicit Flow by default to sign in. If your web app requires other auth flows (eg. auth code flow, client credentials flow), using MSAL would be a better choice.
I have an app that was developed using Angular 9 and we are using the login with Azure AD B2C.
The users that we have in the Azure AD B2C are Member(type).
We have a new requirement where we have to embed power apps in the web app (iframe tag - Canvas App), but we saw that always ask for sign in, but we want to re-use the token generated with the login to see the power app.
We created the power apps in the same directory as the Azure AD B2C and we shared it to everyone.
I tested the #microsoft/powerappsplayersdk sdk for angular but it's still not working, exists a getAccessToken function but neither works
Any ideas about what is missing? or what I have to do to avoid login again when I try to see a power app within my web application?
What token issuer does power apps is expecting? Microsoft B2C token is issued by *.b2clogin.com endpoint and not by microsoftonline.com endpoint. This typically means that token issued by B2C cannot be used as-is by O365 and other services that don't accept B2C as a issuer.
Context
I've successfully created and configured a Azure B2C tenant and a ASP.NET Core 3.1 Web Application which uses AD B2C built in workflows to authenticate users.
Question
In the application described above the login forms (even they have customized design by me) are provided and hosted by Azure AD B2C infrastructure.
Is it possible to use my entirely custom login form (hosted in my web app), get the typed credentials from the uses, then call Azure AD B2C API to do the authentication, and get the token?... or it is not a supported scenario and asking for the credentials form is always must be hosted by the Azure AD B2C infrastructure...
From a web app this is not supported. We do support an ROPC flow from mobile apps.
We are building a Xamarin Native mobile apps and using Azure AD B2C for authenticating users using their social logins.
We decided use MSAL native library (Xamarin) for authenticating using B2C. And our mobile app required to manage(full access) the signed-in user profile. Since this feature isn't available in MSAL we have decided to go with ADAL for the time being. Followed the instruction provided in the link below and the sample works. But I started experimenting by deleting the API access provided in the application (created in b2c tenant) and the ran the application with "Get-user" parameter. And the application is still able to get the users from AD. Not sure how secure is this thing?
Then deleted the application key from the B2c tenant application and ran the console application sample. And received an error AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.
Trace ID: cef09957-06bf-462e-a0c3-4ed6bae11e00
Correlation ID: afab126d-8694-479a-8a21-c12eb7cb176c
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
Any Idea why this is happening. I would like to implement this on a xamarin.ios app and any guidance much appreciated.
The answer to this is very similar to the answer to your other question: Exception access Azure AD B2C using ADAL library for user management, which can be summarized as:
Azure AD B2C does not yet support delegated permissions to the Azure AD or Microsoft Graph. The correct way to work around this limitation at this time is to have your native client application call a web API (using MSAL) which would in turn call the Graph API (using ADAL). This web API is an API you build which has authorization logic to scope the user management operations.
Once user management in Azure AD B2C is supported via the Microsoft Graph, you won't need this API and will be able to use delegated permissions (vs application permissions using client credentials) to have your native client application talk directly to the Microsoft Graph. In the interim, you'll have to stand up your own Web API as per the guidance above.
UPDATE: the Azure AD v2.0 endpoint and Microsoft Graph API now support client credentials flow, so you can also use MSAL for your Microsoft Graph API calls. However if you need to call the Azure AD Graph, then you will still need to use ADAL.