I need to be able to get an identity/access token to a backend API for a native client, where the native client must use native UI to collect username and password.
I want to use Azure AD B2C but I cannot get clear, explicit info if the Resource Owner Password Grant flow is supported. Is it possible to get a token from Azure AD B2C by programmatically posting username and password somewhere?
Azure AD B2C does not support the "Resource Owner" password grant yet.
You can support this feature ask and get updates on its progress by voting for it in the Azure AD B2C feedback forum: Add support for Resource Owner Password Credentials flow in Azure AD B2C.
Is it possible to get a token from Azure AD B2C by programmatically posting username and password somewhere?
You can use the Azure AD Client Credential Flow to obtain a token. See this SO Post.
ROPC might be the right OAuth Flow for you, but before you start using it, you might want to check out this blog post:
Why the Resource Owner Password Credentials Grant Type is not Authentication nor Suitable for Modern Applications.
Resource Owner Password Credential flow is now supported in Azure AD B2C.
Do note however that confidential client flow, where the application secret is verified, is not supported.
Related
I'm migrating all my users from a legacy IdP to the Azure AD B2C.
How can I configure the "Local account" to allow users to login with username OR e-mail?
It seems the Local Account just allows me to configure one of these options but I want to allow users to chose to login with e-mail or username.
Thank you.
Use this custom policy sample
https://github.com/azure-ad-b2c/samples/tree/master/policies/username-or-email
If you are looking to provide an option for user to choose Email/Username, using custom policy you can acheive please refer this sample
If you are looking to provide a was using built in user flow policies You can add Local identity provider with email/username in the Azure Active Directory B2C (Azure AD B2C).
For Migrating users identified using a local IdP to your B2C tenant refer this document.
Following the directions here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-ropc
I'm able to get the ROPC user flow working and testing it from the Azure Portal nets the desired response from the openid-configuration url.
When moving to the token endpoint and posting a username and password of an existing account I keep getting the following response.
{"error":"access_denied","error_description":"AADB2C90225: The username or password provided in the request are invalid.\r\nCorrelation ID: a3f930ac-b077-441c-aeec-c15d9319989a\r\nTimestamp: 2019-03-13 03:32:38Z\r\n"}
The account is found in the directory but in this case is a Microsoft Account.
Assuming the username and password are right, it's a well known account and the credentials have been verified, is it that accounts from external identity providers are just not supported?
The resource owner password credentials flow validates the user credentials that are managed by Azure AD B2C, i.e. credentials for the local account users, not those that are managed by an external identity provider that is registered with Azure AD B2C.
(For information about how the built-in flow is implemented, refer to the https://learn.microsoft.com/en-us/azure/active-directory-b2c/ropc-custom article, which describes how it is implemented using a custom policy.)
I'm using an App Service with EasyAuth, integrated with B2C. Within B2C I've configured the OpenID Connect provider to point back to our corporate AAD tenant. The user journey and authentication are working as desired, however the user's sub and oid that are returned to EasyAuth contain the id of the user's B2C object, not from originating AAD tenant as I'd hoped. Anyway around this? Are custom policies needed?
Also referenced here on the B2C docs site:
https://github.com/MicrosoftDocs/azure-docs/issues/14209#issuecomment-459063758
Thanks
Yes, you will need to use a custom policy to pass the oid of the AAD user (from the AAD token) as an additional claim in the B2C token.
Can Azure AD B2C pass the "UserName/Email and Password" entered by end user to a third party trusted application for credentials validation and get the claims for the user on successful credentials validation by the App?
This scenario arises because, some of my users are in Azure AD B2C and some of the users are maintained in the custom user store and can't be moved to Azure AD B2C due to business reasons. Yet i want to provide same sign-in experience for both users.
The Wingtip sample contains an example of this integration.
See the "ClassicAccount" claims provider for reference.
This claims provider, which is implemented by a REST API, is integrated in to the sign-in user journey to sign users in using logins that are external to the Azure AD B2C directory.
Code for the REST API can be found in the same repository.
Is there a back-end API available to programatically authenticate the external user against the Azure AD B2C instance by passing in the user credentials from within a MVC web application (without showing the login page) as we do from a Native Client like console application?
Authentication through a back-api that accepts user credentials is achieved through the OAuth Resource Owner Password Grant.
Azure AD B2C does not support the "Resource Owner Password Grant" yet.
You can support this feature ask and get updates on its progress by voting for it in the Azure AD B2C feedback forum: Add support for Resource Owner Password Credentials flow in Azure AD B2C.