On this Microsoft documentation on Azure AD B2C, I read
OpenID Connect is recommended if you're building a web application that's hosted on a server and accessed through a browser. If you want to add identity management to your mobile or desktop applications using Azure AD B2C, you should use OAuth 2.0 rather than OpenID Connect.
What are the roles of OpenID Connect and OAuth 2.0 in Azure AD B2C and what features they separately support?
The question is not quite correct. On the same page you can read
OpenID Connect extends the OAuth 2.0 authorization protocol for use as
an authentication protocol. This authentication protocol allows you to
perform single sign-on. It introduces the concept of an ID token,
which allows the client to verify the identity of the user and obtain
basic profile information about the user.
OpenID Connect (OIDC) is an extension or superset standard/RFC for OAuth 2.0. Both protocols define authentication flows, while OAuth2 is a bit generic, a general framework, that gives a lot of freedom of choice, OIDC specifies important aspects in detail. OIDC adds id_token in JWT format in addition to access token, flows like Hybrid flow, token introspection endpoints etc to OAuth2.
Usually OAuth2 comes together with OIDC. If you want to know difference in detail then there are RFCs for OIDC and OAuth2
So your questions is about protocol difference, you can find a lot of information in addition to RFCs. Here is IMO good article link.
In short:
OAuth2
access token use but not format specified
Authorization Code Grant
Implicit Grant
Resource Owner Password Credential Grant
Client Credential Grant
OIDC
extension of access token by id_token use. id_token in JWT format
token endpoints, self issued token, offline access
Authorization Code Flow (extension to Authorization Code Grant)
Implicit Flow (extension Authorization Code Grant)
Hybrid Flow
B2C is focused on use from client application side from consumer applications. When you will be creating IdP provider Azure B2C support already existing social providers (Facebook, Microsoft etc), which in fact are OIDC with proprietary extensions, or custom OIDC IdP provider. In terms of API and authentication flows, and it is very typical for any IdP provider, it supports both, so you can use HTTP API for OAuth2 or OIDC, and OIDC is recommended.
Related
Can someone tell me if it's possible with the "Microsoft.Identity.Client" to do OpenIdConnect and get an access token which doesn't come from Microsoft/Azure but from another Identity Provider.
Thanks in advance.
Can someone tell me if it's possible with the "Microsoft.Identity.Client" to do OpenIdConnect and get an access token which doesn't come from Microsoft/Azure but from another Identity Provider
No, it's not possible to get an access token from third party identity provider if you are using Microsoft.Identity.Client with OpenIdConnect.
As per documentation:
With OIDC, this flow does authentication and authorization for most app types. These types include single page apps, web apps, and natively installed apps. The flow enables apps to securely acquire an access_token that can be used to access resources secured by the Microsoft identity platform.
All confidential clients have a choice of using client secrets or certificate credentials. Symmetric shared secrets are generated by the Microsoft identity platform.
You can refer to Microsoft identity platform and OpenID Connect protocol, Validating access tokens and Request an access token with a client_secret
Can someone help to login to an application having Microsoft OAuth authentication using JMeter? I'm having trouble to identify the unique token that is being used in the login call. Is there a way to identify?
Which exactly OAuth?
As of now the following OAuth 2.0 and OpenID Connect protocols are implemented/supported:
OpenID Connect
OAuth 2.0 implicit grant flow
OAuth 2.0 auth code grant
OAuth 2.0 on-behalf-of flow
OAuth 2.0 client credentials grant
The instructions will differ depending on your application authentication flow and covering all of them with examples in a single answer.
The universal way would be using i.e. MSAL library from the JSR223 Test Elements using Groovy language in order to get the access token.
I must preface by stating that I am not an expert in Microsoft AD, Azure AD, and Office 365. I've read scores of Microsoft documentation, support and Stackoverflow posts and have not been able to find an answer to this specific question.
I have a web application that has an option for users "Sign in with Office365". This was implemented using Microsoft's ADAL library and the OAuth 2.0 authorization flow.
I have a customer who uses ADFS and Azure Active Directory together (Federated Identity in this document). They are federating their user's sign-ins with AD FS which delegates authentication to an on-premise server that validates user credentials which in turn allows their users to access Office365 and other cloud services.
Their on-premise AD syncs with Azure AD and does not sync passwords.
My question is two fold:
1) Will the standard implementation of OAuth 2.0 authorization flow work support this setup? Will Azure AD know to go to ADFS to do the authentication?
2) Is it possible to leverage Azure AD and the OAuth 2.0 authorization flow as an IDP proxy to ADFS?
1) Will the standard implementation of OAuth 2.0 authorization flow
work support this setup? Will Azure AD know to go to ADFS to do the
authentication?
Yes this works very well, as long as you have setup the federation with a verified custom domain using Azure AD Connect (Federated Identity in this document). I have live examples of it with a web application that uses OAuth 2.0 Authorization flow (without requiring anything special from web application code/configuration standpoint).
Flow is that you go to the Microsoft login page first > on selecting the work/school account and specifying user name > you get the ADFS login page > after entering credentials here, it continues just like a normal Azure AD account would.
2) Is it possible to leverage Azure AD and the OAuth 2.0 authorization
flow as an IDP proxy to ADFS?
In a way yes. Although it's not a regular Federation trust setup with certificates being exchanged, as you have to use AzureAD connect instead, like you mentioned in the link above (Federated Identity in this document).
I successfully implemented Azure Active Directory for user management/authentication/login in a web app, following this example:
Azure Sample AAD with Flask
I decided to try Azure Active Directory B2C because of its integration for the various social apps. However, I could not get the flask app to work using OAuth 2.0, since Azure AD B2C does not seem to be compatible with OAuth 2.0. I found some documentation that states Azure AD B2C requires Open ID Connect.
Could you please confirm whether Azure Active Directory B2C requires Open ID Connect, or whether it works with OAuth 2.0 as well?
Thanks
It is worth to not that Azure Active Directory B2C (AAD B2C) supports both OpenID Connect and OAuth 2.0 in that it uses these two protocols to exchange information and secure tokens. However, AAD B2C "extends" these protocols by introducing Policies to handle the user experience for Sign-up, Sign-in and general account management.
What does this mean? First of, it means that you cannot create your own sign-up/sign-in experience, you are restricted to redirecting the user to the right policy (which you to some extent can customize). You cannot create your own sign-up/-in UI for this and you are restricted to styling/branding the provided web-based UI for this.
So in order to Authenticate using AAD B2C you could follow this guide, it should be easy enough to adapt to Python. You simply redirect the user to the /authorize endpoint of the AAD B2C and then validate the JWT you receive
Azure AD B2C supports both OpenID Connect and OAuth 2.0 as noted in the official reference protocols documentation.
To be able to sign-in users with Azure AD B2C using OAuth 2.0 and Flask, you'll need to adapt the sample to follow the OAuth 2.0 approach used in this sample: An Android application with Azure AD B2C using OAuth. Key things you'll need to adapt:
You'll need to specify the B2C authorization and token endpoints: https://login.microsoftonline.com/tfp/TENANT_NAME/POLICY_NAME/oauth2/v2.0/authorize. Example from Android sample
You'll need to add your application/client ID as a scope. Example from Android sample
You won't be able to call the Graph's /me endpoint for token validation and to get user details. You'll need to validate the token and extract the claims from it yourself (ideally through a good JWT open source library since this isn't trivial, unfortunately I don't know any that I can recommend at this time).
EDIT
I've created a python sample for Azure AD B2C and used python-jose for token validation and claim retrieval. Check it out.
Based on the documentation here, Azure AD B2C supports both OpenID Connect and OAuth 2.0 protocols.
Azure Active Directory (Azure AD) B2C provides identity as a service
for your apps by supporting two industry standard protocols: OpenID
Connect and OAuth 2.0. The service is standards-compliant, but any two
implementations of these protocols can have subtle differences.
I'm comparing the new AD B2C features with the social authentication ability in Azure web service. Using the AD B2C approach I can't seem to find a way to do access the underlying access token from a social provider like facebook.
E.g. in Azure Web Services social authentication there was an http://example.com/.auth/me endpoint that would provide BACK the token to access the social provider's api.
Is that not available in B2C? If not that seems like a step backwards.
From what I can see, the answer is no (although I wish there was a way).
See this:
https://blogs.msdn.microsoft.com/appserviceteam/2016/06/22/app-service-auth-and-azure-ad-b2c/
OAuth Tokens: With Easy Auth, the application code has direct access to the provider-specific OAuth tokens. This is useful if you want to make graph API calls on behalf of the logged-in user (for example, calling the Facebook Graph to post a photo to the user’s timeline). B2C, however, does not expose the provider OAuth tokens to your application code.