I am very new to Azure B2C and trying to explore the options available to manage the identities in B2C. I have registered web application and also created required custom policy in B2C tenant. When I am trying to run the workflow from Azure B2C portal, I am able to redirect to registered application with IdToken and also able to view the ID token information in https://jwt.io
Below are some of the question which requires clarification
Suppose I have hyperlink in my web application(Asp.Net web form) which redirects the user into Azure B2C. On successful signin in Azure B2C, how to validate ,process ID Token and fetch the user information in web application. I have seen code samples related to button click event.
How to refresh the token in the above case.
The easiest way is to use the MSAL library on the client side.
This does all this for you.
You get back an id_token and an access token.
Only an access token can be refreshed.
Related
I've been trying to find how Azure B2C handles the token refresh when there is a third party IDP involved.
So, let's say I have an Azure B2C tenant, and I have added an identity provider configuration for a customer. Let's say that all users with the #customer.com email are redirected to 'Customer's' IDP for authentication. Lets say I have a mobile application which uses Azure B2C to obtain access and refresh tokens for an API that we own.
When the user accesses the mobile app for the first time, the mobile app redirects the user to Azure B2C. If there is no external identity provider involved, the user will login with a username and password to the local Azure B2C directory, and Azure B2C will return an access token and a refresh token to the mobile app. The mobile app will use the access token to access the backend API. When the access token expires, the app will submit the refresh token to Azure B2C to obtain a new access token and new refresh token. This much I understand.
Now, when we add an external identity provider, the mobile app redirects the user to Azure B2C, and then the user is redirected to the external IDP where they authenticate. A token is submitted back to Azure B2C authenticating the user, and Azure B2C issues an access token and refresh token to the mobile app. When the access token expires, the mobile app will submit the refresh token back to Azure B2C to obtain a new access token.
Now, I have the following questions:
Does Azure B2C connect back to the external IDP to verify the account status has not changed? If the account is disabled at the external customer's IDP, then Azure B2C should not issue a new access token.
If the external IDP (and underlying directory) has an update, such as to email address, or name of the user, how is that information going to be reflected in the refreshed token issued to the mobile app?
If Azure B2C does reach back out to the external IDP each time the B2C token is refreshed, what protocol does B2C use? Does it use OAuth and maintain it's own refresh token to the external IDP? Or, does it use Open ID Connect, and reinitiate the initial login process every time with the external IDP? If the latter, and there is no valid cookie or valid session at the external IDP, the user will have to go through a login or SSO flow on their external IDP again.
Ideally, I would like to have the external IDP dictate the lifetime of access tokens and refresh tokens by copying these claims from the external token to the Azure B2C issued token. I would like Azure B2C to make a roundtrip back to the external IDP each time the B2C token is refreshed, in order to insure the access is still valid, and that if any of the user's information changed it is reflected downstream in our apps. I also want the user of the mobile app to only have to login the one time (using refresh tokens), until the user's external IDP dictates that the token is no longer valid. Is this possible?
No. You would have to do this via Graph API.
In general, to get the claims updated you have to logout and login. However, it seems there's a fix for this on the way for B2C. See this. I doubt if this handles external IDP.
I have one application integrated with Azure B2C directory. Our problem is, login page is redirecting to Azure B2C portal (Own custom page) for authenticate or Authorize users and then revert back to the original website.
I need to open popup with my own website login design and at the backend, I am able to call Azure B2C REST api to validate users.
How I can create REST API for Login in Azure B2C portal?
Let me know if you have any information about the same.
As juunas said in the comment, you could use resource owner password credentials(ROPC) flow to validate users at the backend. You could call the API with the POST request at the end. Note: ROPC supports local accounts only.
Try to create resource owner user flow first.
You need to replace the username and password with the user's to be verified.
POST https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/B2C_1A_<ROPC_Auth name of the flow>/oauth2/v2.0/token
username=<username>
&password=<password>
&grant_type=password
&scope=openid <application-id> offline_access
&client_id=<application-id>
&response_type=token+id_token
We created an application in Azure B2C to use the OIDC implicit Grant flow. We have configured the Userflow policy(SignIn and SignUp) to customize the homepage layout and to get the custom claims in response. We are using Azure B2C as External Identity Provider (IdP) in our application. When user clicks the Login Button in our application we are redirecting the user the Azure B2C for Authentication and we are able to get the Access Token in response. But we are facing constrain in Getting the User Profile through the UserInfo enpoint. We have tried out both the Graph API endpoint and Azure B2C OIDC userinfo enpoint but neither of them are compatible with the Userflow policy.
I believe the workaround suggested is applicable only if we need to grab some extra input from user (during sign-up) or input validation and then pass that claim to application. It will unnecessary require using "Identity Experience Framework" feature which is ideally required for custom login/signup journey and is not available under free license.
What I understand from you requirement is you need to pass built-in Azure AD attributes to application and which shall be doable by selecting extra claims from "User Flow" signup-SignIn policy. Is not there any alternative to make call to "userinfo" endpoint out of box ?? Any Microsoft expert here, please clarify.
As of now, Azure AD B2C does not support the UserInfo endpoint through User-flow policy.
Right now, it is being supported only through Custom Policies.
You can vote for this feature on Azure AD User Voice.
A workaround is that you could integrate a Rest API to retrieve the extra claims.
See reference here.
I have a web api as backend and a mobile app that users can sign up and sign in and call web api(protected) methods to post and get some data from user. I am using Azure AD B2C to authorize and authenticate users with policies. After a user has sign up or sign in, mobile side has an access token and use this token in request to web api.
But in my scenario, mobile side will send username to web api and I will use microsoft graph api to create user with username and default password.(First request is without user token because there is no a user at this time or can be special token that both sides know.) After I created user in server-side I want to get access token using objectId that came response from create request or I want to know how to get access token.
When I have token, I will send this token to mobile and then mobile send requests to web api using access token that come from server.
I wonder this scenario is possible and can be implemented.
Architecturally, If i understand correctly You want to protect your Mobile app and web api using Azure AD B2C which is clearly possible.
You need to do the following:
Create a AD B2C tenant.
Configure a sign-up or sign-in policy
Use the steps in the Azure AD B2C documentation to create a sign-up or sign-in policy. Name the policy SiUpIn. Use the example values provided in the documentation for Identity providers, Sign-up attributes, and Application claims. Using the Run now button to test the policy as described in the documentation is optional.
Register the API in Azure AD B2C
In the newly created Azure AD B2C tenant, register your API using the steps in the documentation under the Register a web API section.
After the API is registered, the list of apps and APIs in the tenant is displayed. Select the API that was previously registered. Select the Copy icon to the right of the Application ID field to copy it to the clipboard. Select Published scopes and verify the default user_impersonation scope is present.
After adding authentication to your web api , you can test it using Postman.For that you have to register postamn under your B2C tenant.
Since Postman simulates a web app that obtains tokens from the Azure AD B2C tenant, it must be registered in the tenant as a web app. Register Postman using the steps in the documentation under the Register a web app section. Stop at the Create a web app client secret section.
The newly registered web app needs permission to access the web API on the user's behalf.
Select Postman in the list of apps and then select API access from the menu on the left.
Select + Add.
In the Select API dropdown, select the name of the web API.
In the Select Scopes dropdown, ensure all scopes are selected.
Select Ok.
For calling a web api you need to get the bearer token before calling actual web api request.
To make an authenticated request to the web API, a bearer token is required. Postman makes it easy to sign in to the Azure AD B2C tenant and obtain a token. Taking postman as an sample tool.
- On the Authorization tab, in the TYPE dropdown, select OAuth 2.0. In the Add authorization data to dropdown, select Request Headers. Select Get New Access Token.
- Complete the GET NEW ACCESS TOKEN dialog as follows:
- Select the Request Token button.
- Postman opens a new window containing the Azure AD B2C tenant's sign-in dialog. Sign in with an existing account (if one was created testing the policies) or select Sign up now to create a new account. The Forgot your password? link is used to reset a forgotten password.
- After successfully signing in, the window closes and the MANAGE ACCESS TOKENS dialog appears. Scroll down to the bottom and select the Use Token button.
- Now you can test your Web Api with the token, also if you want to save suer information before that you can do that. Also it's the Signup Policies job is to create a user for your when you hit a request.
Hope it helps , Please let me know if you need any help.
I have 3 websites using a single B2C tenant. I have been asked to set it up so that when a user signs out of one website, sign out of them all.
Likewise if their account is deleted.
I thought that I would have to introduce a call to Azure on every request to determine if the user is still logged in, but as far as I can see, there isn't a Graph API endpoint that would allow me to determine the user status.
Am I thinking about this the wrong way? Is there a way to do this easily using B2C, Graph API, the Active Directory client etc.?
Maybe there is an option when setting up the OpenIdConnectAuthenticationOptions for example.
According the description on Azure Document:
While directing the user to the end_session_endpoint will clear some of the user's single sign-on state with Azure AD B2C, it will not sign the user out of the user's social identity provider (IDP) session. If the user selects the same IDP during a subsequent sign-in, they will be reauthenticated, without entering their credentials. If a user wants to sign out of your B2C application, it does not necessarily mean they want to sign out of their Facebook account entirely. However, in the case of local accounts, the user's session will be ended properly.
So you can directly use the end_session_endpoint. You can find it in the metadata document for the b2c_1_sign_in policy endpoint, e.g.:
https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=b2c_1_sign_in
You can refer to Azure Active Directory B2C: Web sign-in with OpenID Connect for more info.
Any further concern, please feel free to let me know.
I might be late. But if that helps. A.c to docs
When you redirect the user to the Azure AD B2C sign-out endpoint (for both OAuth2 and SAML protocols), Azure AD B2C clears the user's session from the browser. However, the user might still be signed in to other applications that use Azure AD B2C for authentication. To enable those applications to sign the user out simultaneously, Azure AD B2C sends an HTTP GET request to the registered LogoutUrl of all the applications that the user is currently signed in to.
Applications must respond to this request by clearing any session that identifies the user and returning a 200 response. If you want to support single sign-out in your application, you must implement a LogoutUrl in your application's code.
This is called single sign out .
Please refer to https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-overview#single-sign-out
Microsoft has an API for this by now. I link to the following blog, as the documentation is currently wrong.
microsoft developer blog: revokeSignInSessions & invalidateAllRefreshTokens
Request
POST https://graph.microsoft.com/beta/users/{id}/revokeSignInSessions
Response
HTTP/1.1 204 No Content