I'm pretty new with Azure and all its services and I want to use Azure B2C to provide authentication to local users and FB providers. However, I noticed that I cant use the workflow I have defined in my mobile app because Azure has a redirect URL to load a browser and show the web page defined by them or custom according to the policies defined for sign in.
I've been googling for a while but doesn't seem there's an option to have a webAPI that receives data from the mobile app and authenticate against the Azure B2C.
Does anyone know if there's a way to not use the redirect URL and use the app login workflow?
Thanks!
Currently, Azure AD B2C doesn't have support for this.
However, work to support for the Resource Owner Password Credentials flow in Azure AD B2C is in-progress.
This new feature will enable the mobile app to collect a user credential and POST it to the B2C tenant for validation.
Related
I'm investigating Azure AD B2C as a possible auth service, which we want to use for user management and authentication. We have a web application, Web API which we can easily integrate with AAD B2C and migrate our current authentication and user management.
However, I did not find any solution how to authenticate mobile applications and integrate it with azuere ad b2c. Our mobile app communicates also with web api but it does not need any user login. These applications are tied to a tenant and every mobile app instance has an API key that is used to authenticate the mobile app on the backend.
Is it possible with azure ad b2c to achieve that kind of authentication, that we will generate API keys for our mobile apps and will use the same ad in azure like the normal users? Is possible with azure ad b2c or we should use another azure service?
What are the best practices in this area? It is similar to the backend to backend communication where API keys are used. Thx.
The normal way for such a scenario would be to use the client credentials flow, where you use your ClientID + ClientSecret for a silent login in order to get a non-personalized AccessToken.
Although it seems that this type of flow is currently not supported by AD B2C. Have a look here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/application-types#current-limitations
As an alternative, that page is refering to the client credentials flow of the Microsoft Identity Platform (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow).
I guess it now depends on the detailed requirements of your application whether it could be an option for you to use.
I have a requirement to build a web app that connects to a customer's API (authenticated as the user using the web app). This same web app will need to connect to our own internal API which is authenticated with B2C.
The problem is that each customer has their own authentication server (always Okta) and so I couldn't add an IDP for each customer in a custom policy because I'd have to add thousands and continue to add them.
Is there a way to get IDP configuration programmatically so that I can look up the correct Okta instance?
Any other suggestions are welcome.
I had limited chance to set up the above scenario and test in lab.
Add the app in Okta and set the below parameters, instead of adding app in AAD.
Login redirect URI: https://{yourb2ctenantname}.b2clogin.com/{yourb2ctenantname}.onmicrosoft.com/oauth2/authresp
Change the following settings in the B2C Claims provider
Okta OpenId Connect Settings in B2C Policy:
ProviderName: https://{yourOktaTenant}/oauth2/default
METADATA: https://{yourOktaTenant}/oauth2/default/.well-known/openid-configuration
Reference Link: Use below link for custom policies in B2C:
https://github.com/mleziva/azure-b2c-okta-custom-policy
I would like to build a web site that will allow any customer to login using their Azure AD. How can I do that? I have used previously authentication with Azure AD for my organization but how can I enable that for any customer? Sort of allowing customers to login with Facebook or Google, instead, when they click login they will be redirect to Azure AD.
If you want to use a personal account or social account to log in to the Azure AD application, you only need to modify the manifest configuration of the existing application, and then change the /tenant id endpoint to the /common endpoint.
To change the setting for an existing AD App, navigate to the Manifest blade of it in the portal, find the signInAudience attribute, set it with AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
Azure AD B2C let you set up just one Facebook login. But what happens when you want to connect to the same b2c directory more than one web app. Facebook forces you to insert logo and policy.
If I have two web apps, I would need to have the chance to setup 2 different facebook logins with different policy and logo. I can do on facebook developer, but seems azure b2c supports just one.
is there a way to achieve that? Maybe using open id account?
Thanks.
You would need to add it as a custom OIDC provider. Or otherwise use custom policies where you can define as many as you like.
How can I implement a native custom login (and register) screen that connects towards a Microsoft Azure AD B2C?
This is the setup:
I have a mobile application developed in Xcode/Swift that...
...needs to register and login (new) users agains an Azure Active Directory B2C (notice the B2C here, as there are also other AD solutions by Microsoft)
The solution that Microsoft offers can be found here: https://github.com/Azure-Samples/active-directory-b2c-ios-swift-native-msal. But this opens a safari window which is not the user experience I am looking for:
Instead I want to build a native login screen (UIViewController) with my own layout and design, but still want to use the Azure Active Directory B2C.
How could this be done?
For sign-in, you can implement a native page that integrates with a resource owner password credentials policy in the Azure AD B2C tenant, which will enable a user's credentials to be POSTed to the Azure AD B2C tenant for validation:
POST /tfp/yourtenant.onmicrosoft.com/B2C_1_ROPC_Auth/oauth2/v2.0/token HTTP/1.1
Host: yourtenant.b2clogin.com
Content-Type: application/x-www-form-urlencoded
grant_type=password&
username=leadiocl%40trashmail.ws&
password=Passxword1&
scope=openid+bef22d56-552f-4a5b-b90a-1988a7d634ce+offline_access
client_id=bef22d56-552f-4a5b-b90a-1988a7d634ce&
response_type=token+id_token
For sign-up, a client credential is required to request an access token for the Azure AD Graph API to create an Azure AD B2C user, so if you are wanting to implement a native page then you will have to consider also implementing a backend/proxy API that protects the client credential.