How can I implement a native custom login (and register) screen that connects towards a Microsoft Azure AD B2C?
This is the setup:
I have a mobile application developed in Xcode/Swift that...
...needs to register and login (new) users agains an Azure Active Directory B2C (notice the B2C here, as there are also other AD solutions by Microsoft)
The solution that Microsoft offers can be found here: https://github.com/Azure-Samples/active-directory-b2c-ios-swift-native-msal. But this opens a safari window which is not the user experience I am looking for:
Instead I want to build a native login screen (UIViewController) with my own layout and design, but still want to use the Azure Active Directory B2C.
How could this be done?
For sign-in, you can implement a native page that integrates with a resource owner password credentials policy in the Azure AD B2C tenant, which will enable a user's credentials to be POSTed to the Azure AD B2C tenant for validation:
POST /tfp/yourtenant.onmicrosoft.com/B2C_1_ROPC_Auth/oauth2/v2.0/token HTTP/1.1
Host: yourtenant.b2clogin.com
Content-Type: application/x-www-form-urlencoded
grant_type=password&
username=leadiocl%40trashmail.ws&
password=Passxword1&
scope=openid+bef22d56-552f-4a5b-b90a-1988a7d634ce+offline_access
client_id=bef22d56-552f-4a5b-b90a-1988a7d634ce&
response_type=token+id_token
For sign-up, a client credential is required to request an access token for the Azure AD Graph API to create an Azure AD B2C user, so if you are wanting to implement a native page then you will have to consider also implementing a backend/proxy API that protects the client credential.
Related
In my project, this a fundamental part of project. Windows Hello for Bussiness and MS Authenticator is secure and easily to use, the goal here is enable this in Azure B2C SUSI to increment safety and provide a fast way to SignIn for user.
The point is, has a way to do that in B2C? Replace normal password to a paswordless way authentiation
There is a possibility to achieve Multi factor authentication using Authenticator app. It is documented and a sample is provider here: Azure AD B2C: TOTP multi-factor authentication
With Azure Active Directory (Azure AD) B2C, you can integrate TOTP-based Multi-Factor Authentication so that you can add a second layer of security to sign-up and sign-in experiences in your consumer-facing applications. This requires using custom policy and custom REST API endpoint. If you already created sign-up and sign-in policies, you can still enable Multi-Factor Authentication.
Below is the user auth flow using TOTP:
At this time, MS does not support primary Auth using Authenticator for B2C. You can request this via the Azure AD B2C forum in feedback.azure.com
SMS and Phone verification are the options available as of now.
I have an app that was developed using Angular 9 and we are using the login with Azure AD B2C.
The users that we have in the Azure AD B2C are Member(type).
We have a new requirement where we have to embed power apps in the web app (iframe tag - Canvas App), but we saw that always ask for sign in, but we want to re-use the token generated with the login to see the power app.
We created the power apps in the same directory as the Azure AD B2C and we shared it to everyone.
I tested the #microsoft/powerappsplayersdk sdk for angular but it's still not working, exists a getAccessToken function but neither works
Any ideas about what is missing? or what I have to do to avoid login again when I try to see a power app within my web application?
What token issuer does power apps is expecting? Microsoft B2C token is issued by *.b2clogin.com endpoint and not by microsoftonline.com endpoint. This typically means that token issued by B2C cannot be used as-is by O365 and other services that don't accept B2C as a issuer.
I am a bit confused by the wording on the announcement for the deprecation of login.microsoftonline.com for "B2C tenants".
New tenants created after this announcement will no longer be able to accept requests from login.microsoftonline.com.
My main concern is: How will this affect the client credentials grant? As far as I can see, this is only supported via login.microsoftonline.com.
Although client credential flow is not currently supported by Azure AD B2C, you can set up client credential flow using Azure AD. An Azure AD B2C tenant shares some functionality with Azure AD enterprise tenants. The client credential flow is supported using the Azure AD functionality of the Azure AD B2C tenant.
Will the "Azure AD functionality" continue to work with login.microsoftonline.com indefinitely? If so, where can I draw the line of what this actually means?
I have created a new B2C tenant after the announcement. So far, everything works, even the B2C user flows via login.microsoftonline.com. The only difference at the moment is that I don't get the domain selection when I click on "run user flow".
My current understanding would be that "everything that uses B2C policies must use b2clogin.com" - everything else must continue to use login.microsoftonline.com.
Without policy:
https://login.microsoftonline.com/mytesttenant.onmicrosoft.com/oauth2/v2.0/token => working URL
https://mytesttenant.b2clogin.com/mytesttenant.onmicrosoft.com/oauth2/v2.0/token => 404
With policy:
https://login.microsoftonline.com/mytesttenant.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_signupsignin => working URL
https://mytesttenant.b2clogin.com/mytesttenant.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_signupsignin => working URL
(my tenant is not actually named mytesttenant)
I think you will still be able to use client credentials flow in Azure AD B2C tenant.
The deprecation of login.microsoftonline.com just affects the Azure AD B2C functionality.
However, the client credentials flow is an Azure AD functionality, it should not be affected, the B2C tenant just shares the functionality with the normal Azure AD tenant.
I have created a new B2C tenant after the announcement. So far, everything works, even the B2C user flows via login.microsoftonline.com. The only difference at the moment is that I don't get the domain selection when I click on "run user flow".
I suppose we can but we should not do this, as the UI has been changed, MS should not want the new users(create B2C tenant after the announcement) of Azure B2C to use login.microsoftonline.com, the implementation has not been changed, it will give other users a transition period.
I got an official answer back via Github.
Use of b2clogin.com is enforced for b2c functionality only. Client Credentials flow is not supported for B2C Applications. Since the App registered via App Registration under Azure AD B2C, can also be used for standard Azure AD as well which supports Client Credentials flow. For standard AAD functionality, use of b2clogin.com is not applicable and requires login.microsoftonline.com only.
For more details, refer to: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-apps#daemonsserver-side-applications
I'm trying to build a setup where my Xamarin forms app authenticates with Facebook, and when done gets a token from the Azure AD B2C to use when requesting data from my API.
So far I have native Facebook login up and running, meaning no web UI login, but uses the user's Facebook app and I get a the Facebook access token. This is the one I want to use when requesting a token from the Azure AD B2C
My issue now is how I should integrate this with Azure AD B2C. I want the API to be protected using Azure AD B2C and that part is enabled too, but I need the App to request a token before it can access my API. This is the part where I'm not sure if it is possible yet, with out letting the Azure AD popup with some UI.....
At this time, Azure AD B2C does not support acknowledging authentication that occurred outside of B2C.
You should request either support for the Facebook SDK and/or more broadly, supporting swapping tokens obtained outside of B2C for B2C tokens via the Azure AD B2C feedback forum
Is there a back-end API available to programatically authenticate the external user against the Azure AD B2C instance by passing in the user credentials from within a MVC web application (without showing the login page) as we do from a Native Client like console application?
Authentication through a back-api that accepts user credentials is achieved through the OAuth Resource Owner Password Grant.
Azure AD B2C does not support the "Resource Owner Password Grant" yet.
You can support this feature ask and get updates on its progress by voting for it in the Azure AD B2C feedback forum: Add support for Resource Owner Password Credentials flow in Azure AD B2C.