API authentication for Azure AD B2C users? - azure-ad-b2c

Is there a back-end API available to programatically authenticate the external user against the Azure AD B2C instance by passing in the user credentials from within a MVC web application (without showing the login page) as we do from a Native Client like console application?

Authentication through a back-api that accepts user credentials is achieved through the OAuth Resource Owner Password Grant.
Azure AD B2C does not support the "Resource Owner Password Grant" yet.
You can support this feature ask and get updates on its progress by voting for it in the Azure AD B2C feedback forum: Add support for Resource Owner Password Credentials flow in Azure AD B2C.

Related

How can I use idp_access_token returned by azure b2c service

I have setup a azure ad b2c service to sign up/ sign in my users and have used third party identity providers google and microsoft. After successful logging in, I get idp_access_token
back from b2c service. Can I use this token to directly connect to google and microsoft api
as azure docs mention, this token is issued by identity providers and returned as claims by b2c service. But the idp_access_token doesn't seem to be a valid access token and no claims are included in it.
To get a valid "idp_access_token", please check if you have to set "v2.0" in the metaurl of the OpenId Identity Provider Configuration:
https://xxx.b2clogin.com/xxxx.onmicrosoft.com/v2.0/.well-known/openid-configuration
We maynot be able to edit metadeta url of already created one .So try create new one with "v2.0" in metaurl.
When a user signs with identity provider, like google or Facebook, your app gets the identity provider's access token passed in Azure AD B2C token.This idp_access_token can be used call the identity provider’s API, such as the Facebook Graph API i.e;Usually the embedded IdP access token is used to call the services that the IdP hosts. For details see Pass an access token through a user flow to your application in Azure Active Directory B2C.
Reference: techcommunity.microsoft.com blog
Note :
Azure AD B2C supports passing the access token of OAuth 2.0 identity providers, which include Facebook and Google. For all other identity providers, the claim is returned blank.
Even if idp_access_token claim is a valid JWT, it cannot be used to access Microsoft Graph or other additional scopes. As usually the
embedded IdP access token is used to call the services that the IdP
hosts. But Microsoft Graph data is hosted in Azure AD and not in
Microsoft Account side.
You can check this microsoft document to Set up sign-up and sign-in with a Facebook account using Azure Active Directory B2C or with a Google account using Azure Active Directory B2C
References:
Using Azure B2C login to access Microsoft Graph is the social login is a Microsoft account

Has a way to enable Microsoft Authenticator in Azure AD B2C?

In my project, this a fundamental part of project. Windows Hello for Bussiness and MS Authenticator is secure and easily to use, the goal here is enable this in Azure B2C SUSI to increment safety and provide a fast way to SignIn for user.
The point is, has a way to do that in B2C? Replace normal password to a paswordless way authentiation
There is a possibility to achieve Multi factor authentication using Authenticator app. It is documented and a sample is provider here: Azure AD B2C: TOTP multi-factor authentication
With Azure Active Directory (Azure AD) B2C, you can integrate TOTP-based Multi-Factor Authentication so that you can add a second layer of security to sign-up and sign-in experiences in your consumer-facing applications. This requires using custom policy and custom REST API endpoint. If you already created sign-up and sign-in policies, you can still enable Multi-Factor Authentication.
Below is the user auth flow using TOTP:
At this time, MS does not support primary Auth using Authenticator for B2C. You can request this via the Azure AD B2C forum in feedback.azure.com
SMS and Phone verification are the options available as of now.

Azure AD B2C custom native login screen for iOS

How can I implement a native custom login (and register) screen that connects towards a Microsoft Azure AD B2C?
This is the setup:
I have a mobile application developed in Xcode/Swift that...
...needs to register and login (new) users agains an Azure Active Directory B2C (notice the B2C here, as there are also other AD solutions by Microsoft)
The solution that Microsoft offers can be found here: https://github.com/Azure-Samples/active-directory-b2c-ios-swift-native-msal. But this opens a safari window which is not the user experience I am looking for:
Instead I want to build a native login screen (UIViewController) with my own layout and design, but still want to use the Azure Active Directory B2C.
How could this be done?
For sign-in, you can implement a native page that integrates with a resource owner password credentials policy in the Azure AD B2C tenant, which will enable a user's credentials to be POSTed to the Azure AD B2C tenant for validation:
POST /tfp/yourtenant.onmicrosoft.com/B2C_1_ROPC_Auth/oauth2/v2.0/token HTTP/1.1
Host: yourtenant.b2clogin.com
Content-Type: application/x-www-form-urlencoded
grant_type=password&
username=leadiocl%40trashmail.ws&
password=Passxword1&
scope=openid+bef22d56-552f-4a5b-b90a-1988a7d634ce+offline_access
client_id=bef22d56-552f-4a5b-b90a-1988a7d634ce&
response_type=token+id_token
For sign-up, a client credential is required to request an access token for the Azure AD Graph API to create an Azure AD B2C user, so if you are wanting to implement a native page then you will have to consider also implementing a backend/proxy API that protects the client credential.

Azure AD B2C : User credential validation against custom user store

Can Azure AD B2C pass the "UserName/Email and Password" entered by end user to a third party trusted application for credentials validation and get the claims for the user on successful credentials validation by the App?
This scenario arises because, some of my users are in Azure AD B2C and some of the users are maintained in the custom user store and can't be moved to Azure AD B2C due to business reasons. Yet i want to provide same sign-in experience for both users.
The Wingtip sample contains an example of this integration.
See the "ClassicAccount" claims provider for reference.
This claims provider, which is implemented by a REST API, is integrated in to the sign-in user journey to sign users in using logins that are external to the Azure AD B2C directory.
Code for the REST API can be found in the same repository.

Can I use "Resource Owner Password Grant" flow with Azure AD B2C

I need to be able to get an identity/access token to a backend API for a native client, where the native client must use native UI to collect username and password.
I want to use Azure AD B2C but I cannot get clear, explicit info if the Resource Owner Password Grant flow is supported. Is it possible to get a token from Azure AD B2C by programmatically posting username and password somewhere?
Azure AD B2C does not support the "Resource Owner" password grant yet.
You can support this feature ask and get updates on its progress by voting for it in the Azure AD B2C feedback forum: Add support for Resource Owner Password Credentials flow in Azure AD B2C.
Is it possible to get a token from Azure AD B2C by programmatically posting username and password somewhere?
You can use the Azure AD Client Credential Flow to obtain a token. See this SO Post.
ROPC might be the right OAuth Flow for you, but before you start using it, you might want to check out this blog post:
Why the Resource Owner Password Credentials Grant Type is not Authentication nor Suitable for Modern Applications.
Resource Owner Password Credential flow is now supported in Azure AD B2C.
Do note however that confidential client flow, where the application secret is verified, is not supported.

Resources