I'm trying to build a setup where my Xamarin forms app authenticates with Facebook, and when done gets a token from the Azure AD B2C to use when requesting data from my API.
So far I have native Facebook login up and running, meaning no web UI login, but uses the user's Facebook app and I get a the Facebook access token. This is the one I want to use when requesting a token from the Azure AD B2C
My issue now is how I should integrate this with Azure AD B2C. I want the API to be protected using Azure AD B2C and that part is enabled too, but I need the App to request a token before it can access my API. This is the part where I'm not sure if it is possible yet, with out letting the Azure AD popup with some UI.....
At this time, Azure AD B2C does not support acknowledging authentication that occurred outside of B2C.
You should request either support for the Facebook SDK and/or more broadly, supporting swapping tokens obtained outside of B2C for B2C tokens via the Azure AD B2C feedback forum
Related
I'm investigating Azure AD B2C as a possible auth service, which we want to use for user management and authentication. We have a web application, Web API which we can easily integrate with AAD B2C and migrate our current authentication and user management.
However, I did not find any solution how to authenticate mobile applications and integrate it with azuere ad b2c. Our mobile app communicates also with web api but it does not need any user login. These applications are tied to a tenant and every mobile app instance has an API key that is used to authenticate the mobile app on the backend.
Is it possible with azure ad b2c to achieve that kind of authentication, that we will generate API keys for our mobile apps and will use the same ad in azure like the normal users? Is possible with azure ad b2c or we should use another azure service?
What are the best practices in this area? It is similar to the backend to backend communication where API keys are used. Thx.
The normal way for such a scenario would be to use the client credentials flow, where you use your ClientID + ClientSecret for a silent login in order to get a non-personalized AccessToken.
Although it seems that this type of flow is currently not supported by AD B2C. Have a look here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/application-types#current-limitations
As an alternative, that page is refering to the client credentials flow of the Microsoft Identity Platform (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow).
I guess it now depends on the detailed requirements of your application whether it could be an option for you to use.
I have an app that was developed using Angular 9 and we are using the login with Azure AD B2C.
The users that we have in the Azure AD B2C are Member(type).
We have a new requirement where we have to embed power apps in the web app (iframe tag - Canvas App), but we saw that always ask for sign in, but we want to re-use the token generated with the login to see the power app.
We created the power apps in the same directory as the Azure AD B2C and we shared it to everyone.
I tested the #microsoft/powerappsplayersdk sdk for angular but it's still not working, exists a getAccessToken function but neither works
Any ideas about what is missing? or what I have to do to avoid login again when I try to see a power app within my web application?
What token issuer does power apps is expecting? Microsoft B2C token is issued by *.b2clogin.com endpoint and not by microsoftonline.com endpoint. This typically means that token issued by B2C cannot be used as-is by O365 and other services that don't accept B2C as a issuer.
We use an Azure AD B2C Api. The user authentication via Angular Frontend works fine.
Now, we created a separate BackgroundService project (.net core 3.0) that needs to access the api, too. The service runs without a user authentication.
In a standard Azure AD Api I would authenticate the service by using ClientId and Secret.
How can I authenticate the service against the B2C Api without user authentication?
Client credential flow is not currently supported by Azure AD B2C. See Current limitations.
It seems that the article is not very clear and confuses some customers. But the author has provided more details in the answer.
How can I implement a native custom login (and register) screen that connects towards a Microsoft Azure AD B2C?
This is the setup:
I have a mobile application developed in Xcode/Swift that...
...needs to register and login (new) users agains an Azure Active Directory B2C (notice the B2C here, as there are also other AD solutions by Microsoft)
The solution that Microsoft offers can be found here: https://github.com/Azure-Samples/active-directory-b2c-ios-swift-native-msal. But this opens a safari window which is not the user experience I am looking for:
Instead I want to build a native login screen (UIViewController) with my own layout and design, but still want to use the Azure Active Directory B2C.
How could this be done?
For sign-in, you can implement a native page that integrates with a resource owner password credentials policy in the Azure AD B2C tenant, which will enable a user's credentials to be POSTed to the Azure AD B2C tenant for validation:
POST /tfp/yourtenant.onmicrosoft.com/B2C_1_ROPC_Auth/oauth2/v2.0/token HTTP/1.1
Host: yourtenant.b2clogin.com
Content-Type: application/x-www-form-urlencoded
grant_type=password&
username=leadiocl%40trashmail.ws&
password=Passxword1&
scope=openid+bef22d56-552f-4a5b-b90a-1988a7d634ce+offline_access
client_id=bef22d56-552f-4a5b-b90a-1988a7d634ce&
response_type=token+id_token
For sign-up, a client credential is required to request an access token for the Azure AD Graph API to create an Azure AD B2C user, so if you are wanting to implement a native page then you will have to consider also implementing a backend/proxy API that protects the client credential.
When using Facebook as the IDP for Azure AD B2C, it appears that B2C isn't using the FB SDK correctly.
Using FB's guidelines found here, I would expect scenario 2 and 3 below to log out of Facebook:
A person logs into Facebook, then logs into your app. Upon logging
out from your app, the person is still logged into Facebook.
A person logs into your app and into Facebook as part of your app's
login flow. Upon logging out from your app, the user is also logged
out of Facebook.
A person logs into another app and into Facebook as part of the
other app's login flow, then logs into your app. Upon logging out
from either app, the user is logged out of Facebook.
When we log out of our application, Facebook is staying logged in, which is NOT the desired behaviour.
Similar question was asked previously on Technet.
Is there a way to make this happen, or is this feature on the B2C roadmap?
Azure AD B2C does not support signing you out from the external identity provider, be it Facebook, Google or a custom OIDC/SAML/WS-Fed identity provider. It only signs you out from Azure AD B2C.
Currently, Azure AD B2C does not disambiguate whether you were already signed-in to the external identity provider or signed in to it as part of signing in to Azure AD B2C, so it can only either always keep you signed in or always sign you out. The latter option is rather invasive, thus Azure AD B2C opts for keeping you signed in, which is in line with Facebook's #1 guideline.
You can request support for this more advanced detection and sign out logic via the Azure AD B2C feedback forum.
Note: This question is similar to: Azure AD B2C OpenID Connect single logout with WS-Federation and SAML claims provider