When using Facebook as the IDP for Azure AD B2C, it appears that B2C isn't using the FB SDK correctly.
Using FB's guidelines found here, I would expect scenario 2 and 3 below to log out of Facebook:
A person logs into Facebook, then logs into your app. Upon logging
out from your app, the person is still logged into Facebook.
A person logs into your app and into Facebook as part of your app's
login flow. Upon logging out from your app, the user is also logged
out of Facebook.
A person logs into another app and into Facebook as part of the
other app's login flow, then logs into your app. Upon logging out
from either app, the user is logged out of Facebook.
When we log out of our application, Facebook is staying logged in, which is NOT the desired behaviour.
Similar question was asked previously on Technet.
Is there a way to make this happen, or is this feature on the B2C roadmap?
Azure AD B2C does not support signing you out from the external identity provider, be it Facebook, Google or a custom OIDC/SAML/WS-Fed identity provider. It only signs you out from Azure AD B2C.
Currently, Azure AD B2C does not disambiguate whether you were already signed-in to the external identity provider or signed in to it as part of signing in to Azure AD B2C, so it can only either always keep you signed in or always sign you out. The latter option is rather invasive, thus Azure AD B2C opts for keeping you signed in, which is in line with Facebook's #1 guideline.
You can request support for this more advanced detection and sign out logic via the Azure AD B2C feedback forum.
Note: This question is similar to: Azure AD B2C OpenID Connect single logout with WS-Federation and SAML claims provider
Related
Can Azure AD B2C pass the "UserName/Email and Password" entered by end user to a third party trusted application for credentials validation and get the claims for the user on successful credentials validation by the App?
This scenario arises because, some of my users are in Azure AD B2C and some of the users are maintained in the custom user store and can't be moved to Azure AD B2C due to business reasons. Yet i want to provide same sign-in experience for both users.
The Wingtip sample contains an example of this integration.
See the "ClassicAccount" claims provider for reference.
This claims provider, which is implemented by a REST API, is integrated in to the sign-in user journey to sign users in using logins that are external to the Azure AD B2C directory.
Code for the REST API can be found in the same repository.
I am seeing duplicate accounts being created using the same Facebook login on Azure AD B2C. My understanding has always been that using the combined sign-up/sign-in policy, if a user taps a social provider, Azure AD B2C will sign them back in using the same Azure AD B2C account if they created it using Facebook rather than creating a new one.
In this case however, I have three examples where 2 Azure AD B2C accounts exist with the same email address, created by the user using Facebook as the authentication mechanism. They share the same name and profile photo but have different Azure AD AD object id's.
There is a known outstanding Facebook issue around expired tokens which was acknowledged by Microsoft and is logged on UserVoice here after a paid developer support issue was logged on the Azure portal: Fix the faulty Facebook integration and more transparency please!
I have logged this here under the request from Azure Support on Twitter:
https://twitter.com/AzureSupport/status/949258937915895809
Please assist - we are very concerned about these issues with regards B2C's integration with a very popular social provider!
Millions of end users use facebook to register and login to apps secured by Azure AD B2C.
If you are sure that the same facebook user(same user id) registered into the b2c app, then it may be possible that you used different facebook Application IDs. In which case you would have different facebook ids presented to b2c, resulting in 2 different Azure AD B2C user accounts.
Alternatively, it is possible that a single facebook user with email joe#email.com registerd into b2c using their facebook login and later selected "local account" and created a local user (non facebook) using the same email joe#email.com. These would appear as 2 different users.
I'm trying to build a setup where my Xamarin forms app authenticates with Facebook, and when done gets a token from the Azure AD B2C to use when requesting data from my API.
So far I have native Facebook login up and running, meaning no web UI login, but uses the user's Facebook app and I get a the Facebook access token. This is the one I want to use when requesting a token from the Azure AD B2C
My issue now is how I should integrate this with Azure AD B2C. I want the API to be protected using Azure AD B2C and that part is enabled too, but I need the App to request a token before it can access my API. This is the part where I'm not sure if it is possible yet, with out letting the Azure AD popup with some UI.....
At this time, Azure AD B2C does not support acknowledging authentication that occurred outside of B2C.
You should request either support for the Facebook SDK and/or more broadly, supporting swapping tokens obtained outside of B2C for B2C tokens via the Azure AD B2C feedback forum
AD FS is configured with custom policies as a claims provider on Azure AD B2C using WS-Federation and SAML. The relying party on Azure AD B2C is using OpenID Connect.
Is it possible to do front-channel single logout initiated through OpenID Connect?
OpenID Connect Front-Channel Logout 1.0 - draft 02: http://openid.net/specs/openid-connect-frontchannel-1_0-ID1.html
Single logout is initiated from the relying party using OpenID Connect and continued through Azure AD B2C using WS-Federation and reaching the AD FS. Thereby terminating the session in both the relying party, Azure AD B2C and AD FS.
If so, how is that configured in Azure AD B2C with custom policies?
Azure AD B2C does not support signing you out from the external identity provider, be it Facebook, Google or a custom OIDC/SAML/WS-Fed identity provider. It only signs you out from Azure AD B2C.
That practice is highly discouraged as it's quite invasive on the end user and risks discouraging the user from doing SSO, rather opting for local accounts.
For example, if the user signed in using Facebook and then signs out of your application, they'll probably be very annoyed by the fact that they've also been signed out of Facebook and after enough times of this happening, might give up on SSO using Facebook and just create a local account that doesn't messes up their experiences elsewhere. A similar case could be made for business customers that, by signing out of your app, also get signed out of all of their other business apps.
All that said, you can still request support for this via the Azure AD B2C feedback forum.
Social identity auth using Azure AD B2C for Google doesn't show permission request page but Facebook does.
Does anyone know why this is happening? Am i missing something here.
Azure AD B2C does not require consent.
The only consent experience you might go through in Azure AD B2C is when signing up / signing in with social accounts.
As part of setting up a social IdP in Azure AD B2C, you must register an application in the social IdP (see this example on how to do it for Facebook). Users will have to consent to that app in their social IdP the very first time the sign in. This consent enforced and maintained by the social IdP, so even if you delete the user in Azure AD B2C, recreating the user in Azure AD B2C using the same app registration will not re-trigger consent.