Create azure B2C which can reply to wildcard URL - azure-ad-b2c

In our project we are using B2C where the front-end is hosted on a webapp and gets the token and the backend is hosted on an API app and validates the token.
When developing we deploy the front-end and backend as needed, often with multiple copies for multiple developers.
The problem is that the B2C app registration requires to add the reply URL manually. Our development domains are generally under https://XXX###.azurewebsites.net. where XXX is a common prefix and ### is some number.
Is there a way to either define the reply URL programmatically (i.e. add it and remove it as we deploy/remove the instance) or to support wildcard reply URLs?
If the above is not possible is there a way to programmatically register a new application with a copy of all configurations of an existing one except the reply URL?

Wildcard redirect URLs are not supported in OAuth2. See this post: why are redirect URLs fully qualified.
And, unfortunately, we can't manage B2C programmatically.
UserVoice item: Programmatically manage B2C policies

Related

Azure Active Directory B2C with Azure Front door auth response uses wrong domain

We are using Azure Active Directory B2C in combination with Azure Front door. When signing in with a password and username it works fine, but when signing in with a social provider it shows the wrong domain.
Before sign in:
After sign in with social provider (loading before continuing with, in this case localhost)
The difference here, is that before the sign-in we have login.timchermin.com/login.timchermin.com and after we have login.timchermin.com/lokaalaybler.onmicrosoft.com. I would prefer the onmicrosoft.com to also be login.timchermin.com.
I tried putting https://login.timchermin.com/login.timchermin.com/oauth2/authresp in the google cloud app setting. But this will give the following error.
(How) Can I make it so that my authresp also includes the domain in after the first / ?
I am also using custom policies, if that makes a difference.
The domain login.timchermin.com is also set as the primary domain.
Please make sure that you have all redirect URLs registered properly in your social IDP. This is my configuration for the Facebook login. I also use Front Door with Azure AD B2C:
Redirect URL should be aligned with this pattern when using custom domain:
https://your-custom-domain/name-of-your-ad-b2c-tenant.onmicrosoft.com/oauth2/authresp

Azure B2C with dynamic redirect URI from staging Azure Static Webapp

I have an Azure Static Web App that hosts a vue app, it uses Azure B2C to authenticate.
I'd like to use the functionality of Static Web Apps where on each pull request in Azure Devops, it deploys to a unique staging environment, but since B2C creates a new URL for each branch, the URL isn't in B2C's redirect list and login fails. B2C does not allow me to use a wildcard URI.
How do I get Azure B2C to work with a static app staging branches when the URL for each one is different?
You could use the Azure CLI to add the reply-uri to the app registration in B2C when you spin up the new Static web app. Although this will require a clean up exercise to make sure you keep under the maximum number of URIs.
Another option would be to use a state parameter. When you make the request to login you store the url to the static web app you wish to be directed to. Then you login in and B2C redirects to a page which then reads the state and then moves you on to the correct url with a 302 response. This is outlined here: https://learn.microsoft.com/en-us/azure/active-directory/develop/reply-url#use-a-state-parameter
Make sure to read up on the security issues with that approach.

How to integrate the o365/m365 oauth flow with my slack app

I'm writing an app which will allow me to get specific data from outlook/exchange using the EWS on behalf of a slack/outlook/exchange user. to authenticate via Microsoft’s oauth flow I created a azure a client_id and would like to initiate the oauth flow for m265 from the apps Home Screen. In order to create the client I’d I also need to provide a redirect url within azure ad.
Where can I find documentation on how to best use external oauth flows? (This is not about installing/authorizing the app within slack).
I’d like to add a "connect to outlook" button on my apps home page after installing from which to start the flow.
Shall I call the Microsoft login (oauth) url directly or should I first link to my apps web server?
When calling the microsoft login I need to provide a redirect url (which needs to match the one in azure ad) to which the authorization codes gets returned.
For some apps (e.g. outlook calendar for slack) this seems be a slack url.
servicenow seems to use something like…
https://slack.com/interop-apps/servicenow/snow_oauth_redirect
Is there a way to define such an url for my app within slack?
How will the authorization code be handed over to my app (I assume to the Request url I defined for my app…?
Thank you for time and consideration..
• I am considering here that you are providing authentication for your application through Azure AD, thus, to configure redirect URIs after authorization code or token is received post successful authentication, please refer the below documentation on redirect URIs. It specifies in detail the configuration restrictions that should be followed while configuring a redirect URL in Azure AD: -
https://learn.microsoft.com/en-us/azure/active-directory/develop/reply-url
Similarly, to configure a redirect URL for an application in Slack, please check the callback URL settings configured because it is required while redirect URL is an optional thing. Also, Slack will redirect the users to the callback URL itself configured in app settings if redirect URL is absent. And if provided, the redirect URL's host and port must exactly match the callback URL. The redirect URL's path must reference a subdirectory of the callback URL. Please follow the below link for more information: -
https://api.slack.com/legacy/oauth
In the above URL, go to ‘Using access tokens’ and ‘Redirect URLs’ section for exact information.
• And as far as calling the Microsoft login (OAuth)URL directly or linking it to your app’s web server, I would suggest you provision your Azure AD users in Slack by following the below documentation link or configure SSO with Slack by adding it in Enterprise Applications in Azure AD from application gallery and then configure the API permissions required for accessing the data from Exchange through EWS. In this way, proper configuration and redirection can be achieved for the users which are allowed to access the specific data from Exchange.
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/slack-tutorial
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/slack-provisioning-tutorial

Azure AD B2C reply url to wildcard URL

I am using Azure 'B2C', and users are creating successfully in B2C. And I am using dynamic web apps. ie, there is number of web apps are present.
sssss01.example.com
sss2.example.com
wwwss2.example.com........
When a user want to login using B2C, it's successfully login, but it reply url is not correct. I checked in azure, B2C app not supporting wildcard(*). So Is there any option to add wildcard, or any other method to manage pragmatically ?
Sign in reply url is different for different web apps.
Wildcard redirect URLs are not supported in OAuth2. See: why are redirect URLs fully qualified.
Unfortunately, we can't manage B2C programmatically.
You can upvote this item on User Voice and subscribe to stay updated: https://feedback.azure.com/forums/169401-azure-active-directory
Others have suggested this same feature but the User Voice forum appears to be down right now.

Custom claims for azure ad app

Is it possible to add custom claim to app manifest in Azure AD application registry?
I want to have one end point to manage sso for different apps on different tenats.
So, app should have claim with redirect url, and during user assigment admin should change it to the coresponding app.
This is not the way how you handle redirecting to different URLs. Also because you have to properly form the authorization request by indicating a redirect_url. And how you would know redirect uri, if you do not know who is coming to your site?
Please first read the Application and service principal objects in Azure AD document. It will explain you in details what is an application and what is service principal. And how the two relate. And what it is to be multi tenant application.
After you read the document, you understand now that can only have a single application object. It is also good to pay attention to the Integrating Applications with Azure AD and Multi tenant applications in Azure AD.
You cannot use custom claims to manage redirect uri, because even when you ere able to create a custom claim in app manifest, its value is based on a user property.
The way you should handle this, is to properly handle the admin consent. You could always require an admin consent and, when you handle the admin consent response to your main redirect uri in the form of:
GET http://localhost/myapp/permissions?tenant=a8990e1f-ff32-408a-9f8e-78d3b9139b95&state=state=12345&admin_consent=True
you take a record of the tenant_id and ask the administrator for real redirect_id.
But, at the end of the day, you have to manage all redirect uris in your single app registration in your tenant. Are you sure you want to take that big expenditure. What does really make sense, is to offer a redirect uri which is subdomain of your application.
Thinking out a proper signup flow is really important part of a multi tenant application. Especially if you want custom domains per tenant.
The easiest would be to only have one domain for all tenant and simply redirect to them.
The other one - is to have your own custom signup flow where the user choses a subdomain in your domain and provides admin consent to fix that wish. After you receive the admin consent back (you have encoded the desired custom domain in the state parameter for example) you make the mapping between custom domain and tenant.

Resources