As a service provider, I need to integrate third party oAuth providers beyond what is currently available in the portal. How can I do that? Any pointers will be helpful. If it is not supported, is it in the product road map?
Currently, you have to create custom policies to integrate with other OpenID Connect and OAuth identity providers, such as Azure AD and GitHub.
The "Add support for a generic OpenID Connect Identity Provider" feedback item indicates development has been started for the built-in support of any OpenID Connect or OAuth provider.
Related
How to add authorization through third-party services (for example Instagram or Vk) which are not in the list of Azure AD B2C identity providers?
If the identity provider supports OpenID Connect, you can use the generic OpenID Connect identity provider.
Docs here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-oidc-idp
If they do not, then you need to create a custom policy using the Identity Experience Framework.
There you can define an identity provider which uses various protocols,
but it is quite an advanced scenario.
Custom policy learning curve is quite steep.
Docs for them: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom?tabs=applications
I must preface by stating that I am not an expert in Microsoft AD, Azure AD, and Office 365. I've read scores of Microsoft documentation, support and Stackoverflow posts and have not been able to find an answer to this specific question.
I have a web application that has an option for users "Sign in with Office365". This was implemented using Microsoft's ADAL library and the OAuth 2.0 authorization flow.
I have a customer who uses ADFS and Azure Active Directory together (Federated Identity in this document). They are federating their user's sign-ins with AD FS which delegates authentication to an on-premise server that validates user credentials which in turn allows their users to access Office365 and other cloud services.
Their on-premise AD syncs with Azure AD and does not sync passwords.
My question is two fold:
1) Will the standard implementation of OAuth 2.0 authorization flow work support this setup? Will Azure AD know to go to ADFS to do the authentication?
2) Is it possible to leverage Azure AD and the OAuth 2.0 authorization flow as an IDP proxy to ADFS?
1) Will the standard implementation of OAuth 2.0 authorization flow
work support this setup? Will Azure AD know to go to ADFS to do the
authentication?
Yes this works very well, as long as you have setup the federation with a verified custom domain using Azure AD Connect (Federated Identity in this document). I have live examples of it with a web application that uses OAuth 2.0 Authorization flow (without requiring anything special from web application code/configuration standpoint).
Flow is that you go to the Microsoft login page first > on selecting the work/school account and specifying user name > you get the ADFS login page > after entering credentials here, it continues just like a normal Azure AD account would.
2) Is it possible to leverage Azure AD and the OAuth 2.0 authorization
flow as an IDP proxy to ADFS?
In a way yes. Although it's not a regular Federation trust setup with certificates being exchanged, as you have to use AzureAD connect instead, like you mentioned in the link above (Federated Identity in this document).
Currently, in ACS we use Yahoo as an identity provider. We noticed that Azure B2C doesn't offer Yahoo as a built-in social provider like Azure ACS. Is there a reason for this and will it be added in the near future?
You can create a custom policy. This allows you to integrate with any OpenId Connect provider. It will require a bit of customization, but should be possible since Yahoo supports OpenID Connect.
Here's the steps to get going with custom policies.
Our current application is authenticating users with a SAML IdP. We wish to retain their implementation of SAML and update the application’s configuration with Azure AD B2C, not switch to OAuth2 or OpenID Connect. Does Azure AD B2C currently support receiving authentication requests via SAML? I am unable to find this in the documentation.
Azure B2C does (has for a while) provide SAML connectivity through custom policies in the Identity Experience Framework currently in public preview - https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview-custom
Azure AD B2C does not support integrating with applications / relaying parties via SAML yet.
You can support this ask and keep up to date on its progress by voting for it in the Azure AD B2C feedback forum: (Application) SAML Protocol support.
You can configure Configure SAML Relying party application:
https://github.com/azure-ad-b2c/saml-sp
The full documentation can be found here:
https://github.com/azure-ad-b2c/saml-sp/blob/master/saml-rp-spec.md
NOTE: AS Per July 2019, SAML Relying Party support is available as a preview feature
I successfully implemented Azure Active Directory for user management/authentication/login in a web app, following this example:
Azure Sample AAD with Flask
I decided to try Azure Active Directory B2C because of its integration for the various social apps. However, I could not get the flask app to work using OAuth 2.0, since Azure AD B2C does not seem to be compatible with OAuth 2.0. I found some documentation that states Azure AD B2C requires Open ID Connect.
Could you please confirm whether Azure Active Directory B2C requires Open ID Connect, or whether it works with OAuth 2.0 as well?
Thanks
It is worth to not that Azure Active Directory B2C (AAD B2C) supports both OpenID Connect and OAuth 2.0 in that it uses these two protocols to exchange information and secure tokens. However, AAD B2C "extends" these protocols by introducing Policies to handle the user experience for Sign-up, Sign-in and general account management.
What does this mean? First of, it means that you cannot create your own sign-up/sign-in experience, you are restricted to redirecting the user to the right policy (which you to some extent can customize). You cannot create your own sign-up/-in UI for this and you are restricted to styling/branding the provided web-based UI for this.
So in order to Authenticate using AAD B2C you could follow this guide, it should be easy enough to adapt to Python. You simply redirect the user to the /authorize endpoint of the AAD B2C and then validate the JWT you receive
Azure AD B2C supports both OpenID Connect and OAuth 2.0 as noted in the official reference protocols documentation.
To be able to sign-in users with Azure AD B2C using OAuth 2.0 and Flask, you'll need to adapt the sample to follow the OAuth 2.0 approach used in this sample: An Android application with Azure AD B2C using OAuth. Key things you'll need to adapt:
You'll need to specify the B2C authorization and token endpoints: https://login.microsoftonline.com/tfp/TENANT_NAME/POLICY_NAME/oauth2/v2.0/authorize. Example from Android sample
You'll need to add your application/client ID as a scope. Example from Android sample
You won't be able to call the Graph's /me endpoint for token validation and to get user details. You'll need to validate the token and extract the claims from it yourself (ideally through a good JWT open source library since this isn't trivial, unfortunately I don't know any that I can recommend at this time).
EDIT
I've created a python sample for Azure AD B2C and used python-jose for token validation and claim retrieval. Check it out.
Based on the documentation here, Azure AD B2C supports both OpenID Connect and OAuth 2.0 protocols.
Azure Active Directory (Azure AD) B2C provides identity as a service
for your apps by supporting two industry standard protocols: OpenID
Connect and OAuth 2.0. The service is standards-compliant, but any two
implementations of these protocols can have subtle differences.