SPA + WebAPI authenticate using Azure AD B2C and Azure AD - azure

My customer wants to use AZURE AD B2C to authenticate external users, and Azure AD for employees of his company. I've been looking on github and googling about it, but there's a lack of examples over there.
Does anybody had the same requirement to give some hints?
Besides that, it seems that MSAL.js / hello.js has some bugs (X-Frame-Options issue when renewing the token).
Is there any other JS library that I'm not familiar?

My customer wants to use AZURE AD B2C to authenticate external users, and Azure AD for employees of his company.
Azure B2C supports this from custom policies. You can easily configure this by referring Azure Active Directory B2C: Get started with custom policies and Azure Active Directory B2C: Sign in by using Azure AD accounts
Besides that, it seems that MSAL.js / hello.js has some bugs (X-Frame-Options issue when renewing the token).
Microsoft was written a sample application using hello.js library. But as you said it has x-frame options issue but that is only for Social IDPs. So, you can still use SPA app written from Microsoft for your use-case.
Is there any other JS library that I'm not familiar?
Yes, there is another JS library out there similar to hello.js that is oidc-client.js. It is easy to configure and use in SPA application.

Related

Okta as IDP for Azure

So I want to provide access to users over Okta to Azure.
We have local AD which is not synced to MS Azure account
We have custom domain inside Azure AD
There is also 2nd part of this where we want to sync local AD mail field to Workday and add some O365 users to the same tenant which is another (native) Okta app.
So looking at docs, it seems I need to install ADConnect client which will import all users to the same O365/Azure tenant. Then on the Okta, there is native o365 app that I simply need to configure (it didn't look like problematic). But for the Azure part, the documentation is not really good and I am confused what should I do with Azure.
It seems I need to add Custom SAML 2.0 Application on Okta for Azure and configure External Identities-->New SAML connection on Azure. There also should be a way how to link Okta users to AzureAD ones but they have different domains. Did I get this correctly?
Thank you!
You can do the following:
Use AAD Connect to sync on-premise users to Azure AD
Integrate on-premise AD with Okta
Use Okta's native Office 365 application to integrate Okta with Azure AD for Single Sign On. When you use this application, you don't have to do anything on Azure AD. Okta will take care of everything for you. All you need to do is follow these steps: https://help.okta.com/en/prod/Content/Topics/Apps/Office365-Deployment/configure-sso.htm

Suitable Azure replacement for Auth0

I have an ASP .Net Core 2.2 Web API hosted as an Azure App Service. Then there is an Angular SPA which consumes this API, hosted on Azure Storage as a static website.
I am currently using Auth0 as our authentication and identity server. I am looking at replacing Auth0 with Azure, but I've spent a couple of days now trying to figure out what I should be doing and I am completely lost.
So, the purpose that Auth0 is currently serving, and which I would like Azure to serve instead, is to protect my Web API, as well as give it identity services so that the API knows which user is logged in. So when the front end makes a call to the API, Auth0 automatically redirects it to a login page. Here the user can log in using an existing account (including social accounts) or she can create a new account. Once logged in, Auth0 provides the front end with an access token. The front end then includes this access token in the header of every API call. The access token includes identity information which the API uses to know which user is making the call. All users are stored in Auth0. So when a new user uses the front end web app, Auth0 redirects them to the login screen, where they select "Sign Up", and create an account in Auth0. Any user can do this btw - it is a public web app which anyone can sign up and use.
So, when looking at using Azure instead of Auth0, what first confuses me is that there are various authentication services:
In the Azure portal, under my app service, under "Authentication / Authorization", there is a toggle switch labelled "App Service Authentication". If I turn this on, I can set up Authentication Providers.
In the Azure portal, there is Azure Active Directory, which I guess ties in with the above?
There is also Azure B2C.
What is the difference between Azure App Service Authentication and Azure B2C? Which one should I be using? What is the difference between points 1 and 2 above? Some examples I've seen use point 1 and some use point 2.
Sorry if this is a very vague question. I am just struggling to figure out in which direction to head. I found Auth0 quite simple, but unfortunately I cannot say the same about Azure authentication. I basically just want to figure out which Azure option would be best suited to replace Auth0 as I am using it now. Thanks
Azure B2C is the proper option to replace user authentication, however you would have to go with OWIN or another solution to actually provide application specific identity/authorization pipeline.
For public-facing site I would not go with straight up azure AD for customer logins, that’s targeted more towards enterprise customer with identities in federated, office365 or on prem Active Directory.
To be honest I’m surprised you’re planning on moving from auth0 to AAD. I’m thinking about doing the opposite.
I think the "replacement" would be using Identity Server, but there's no PaaS version for it on Azure. So you should go with Azure AD or Azure AD B2C.
If you want just to create users and groups you should use Azure AD. But if you have plans to enable 3rd party identities to access your app (such as Facebook, Google or Linkedin), then you should use Azure AD B2C. For more info, please read: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview

Azure B2C Authentication without user

We use an Azure AD B2C Api. The user authentication via Angular Frontend works fine.
Now, we created a separate BackgroundService project (.net core 3.0) that needs to access the api, too. The service runs without a user authentication.
In a standard Azure AD Api I would authenticate the service by using ClientId and Secret.
How can I authenticate the service against the B2C Api without user authentication?
Client credential flow is not currently supported by Azure AD B2C. See Current limitations.
It seems that the article is not very clear and confuses some customers. But the author has provided more details in the answer.

API APP + Authentication with AAD and Facebook + AllowAnonymous

I have created a API app in Azure portal. Then after I have configured Azure Active Directory and Facebook for Authentication/Authorization in Azure Portal (Portal -> My API APP -> Authentication / Authorization). Now my requirement is some API should be Allow Anonymous and other APIs should ask for Authentication either from Azure Active Directory or Facebook.
Same issues like my case: Question-1 Question-2
Please help !!
I think, your solution may benefit from using other authentication broker service called Azure Active Directory B2C. Basically, you configure the providers you want on the backend side, then integrate it into your application. Then, you are able to use mechanisms like policies, etc, in your app. For WebApp integration with AD B2C - tutorial.
I would do that in your situation because i believe that it would be better to offload authentication boilerplating to the backend instead of doing a lot of custom things in the application.
Other way of doing that would be to use custom attribute that will add the capabilities to authenticate, cache user information, authentication context (regarding your question about how to detect if someone is logged in) etc.

Azure AD as Federation Provider for Okta

We are developing an application in which we plan to use Okta as the ID provider. However, this application will be hosted in Azure and we would like to use the Azure ACS for Federation. However, off late we came to know that ACS is going be integrated with Azure AD (http://blogs.technet.com/b/ad/archive/2015/02/12/the-future-of-azure-acs-is-azure-active-directory.aspx). I am bit confused here.
I understand AD provides the directory services and will be used for authentication. In our case, this will be Okta. How can I use AD (as ACS is going to be integrated with AD) for this? I tried uploading a Ws-Federation metadata for a test application from Okta to Azure ACS (tried to create a new ID provider), however I couldn't succeed in doing that. Any help will be much appreciated.
I tried using Okta APIs, and it worked well. But, the ask is to use Azure to communicate with Okta.
You can set up Okta as the IDP to Azure since you plan to leverage Okta as the directory and as the IDP. The benefit here is that you can leverage other policies and features within Okta for authorization during login time (eg. mfa).
https://msdn.microsoft.com/en-us/library/azure/dn641269.aspx - This page provides a pretty detailed description on how to set this up. So effective, Azure is not "directly" communicating with Okta - but rather - integrating with Okta where Azure (and your app) is the SP and Okta is the IDP.

Resources