I'm trying to integrate Azure AD B2C with my App Service using the Authentication / Authorization menu in the portal (also called EasyAuth).
This is what I did:
Registered the application in Azure B2C
Recorded the App ID
Defined user flows (just Sign In)
Set up identity provider (Azure AD)
Tested the user flow, with Redirect URI pointing to jwt.ms, to see the result - works fine
Enabled Authentication / Authorization in the App Service in the Portal
Configured Azure AD authentication with the App ID from above and the link to the endpoint metadata
But now, when I access the App Service, I'm redirected to a "Logging in..." page which immediately goes to the jwt.ms page, with no JWT data, no login page, and no opportunity to enter my credentials.
Just an empty jwt page.
I couldn't find anything in the docs that can explain this.
What am I missing?
Related
Current situation: symfony application with authentication via azure AD B2C.
How is it possible to make an authorize check to [https://TENTANT.b2clogin.com/TENTANT.onmicrosoft.com/oauth2/v2.0/authorize via ajax to verify if a customer has an active session on azure AD, i only need to retrieve the azure oid from the token.
Now i redirect the user to [https://TENTANT.b2clogin.com/TENTANT.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_sign_in&client_id=CLIENTID&none=defaultNonce&redirect_uri=REDIRECTURI&scope=openid&response_type=id_token&prompt=login&response_mode=form_post&ui_locales=en but i want to get rid of that.
You can use MSAL method ssosilent(), which opens the auth endpoint via hidden iframe. That succeeds only if there is a valid session cookie at AAD B2C. Note this only works if your app and AAD B2C are on the same root domain name.
We have integrated keycloak with Azure Active Directory and integrated it with a few applications.
We have a few applications that are directly integrated with Azure Active Directory. Is there an approach I can follow to make a person logged in to one application to be signed in all the other applications irrespective of the authentication provider used (keycloak or Azure AD)?
Normally I'll be logged into all applications integrated with keycloak if I signin into one application integrated with keycloak and vice-versa with Azure AD.
Your requirement can be fulfilled with the app service feature by leveraging the token store and authorization behavior of the configured authentication providers for the apps configured. But only tokens received from keycloak can be forwarded to Azure AD for authentication purposes and further sign in respectively to all apps registered with Azure AD. The reverse is not possible as keycloak doesn’t has the ability to forward the sign in token request received for the application configured back to Azure AD for authorization.
You will have to enter the REST API code for signing in and out of a session accordingly by incorporating the below likewise code in your environment.
Log in with the Microsoft Identity Platform
Log in with Facebook
Log in with Google
Log in with Twitter
Log in with Apple
Please find the below documentation for an approach on forwarding the authentication tokens from Keycloak to Azure AD for access authorization: -
https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-customize-sign-in-out
Thanking you,
I'm trying to use AWS Cognito with a user pool using Azure AD as an Identity Provider (OpenID Connect).
I set up the User Pool in Cognito and specify the callback URL of my test app (https://localhost:44381) and I configure an App Registration in Azure AD that has the same URL in the Redirect URIs.
In the AWS Console, under App Client Settings, I click "Launch Hosted UI" to test it. It displays a page that lets me choose my configured Identity Provider (Azure AD). On that page, I can see in the URL what it has for "&redirect_uri=". It has https://mydomain.auth.us-east-2.amazaoncognito.com/oauth2/.
So I put that URL in both AWS Cognito and in Azure AD as the Callback URI/Redirect URI.
Then when I click through to the Identity Provider, it pops up the normal Azure AD login and lets me log in, but I get:
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '60e47fff-e2cc-41d8-8405-283bafb33fbb'.
This is the application (client) ID from Azure AD.
Likewise, when I run this from my test app, I can see the redirect_uri=https://localhost:44381/oidc in the URL - but same thing happens - redirect mismatch. Though that exact URL is in both AWS and Azure AD.
How can I find out what it is trying to "match"? It's obviously changing something in the URL that I give it.
I have a nodejs webapp with login, signup pages (text fields to enter username, passwd and "Login" button). Other pages in the UI and Backend APIs should be accessible only to authenticated users.
What options do i have if i want to authenticate users using Azure AD (Clicking the "Login" button on the UI should authenticate against Azure AD)? Would the flow be different If i want to authenticate both internal (associates with AD credentials) and external users (end customers not in our AD)
TIA.
What options do i have if i want to authenticate users using Azure AD
(Clicking the "Login" button on the UI should authenticate against
Azure AD)?
In the B2C, you could use the direct sign-in by the username or the identity provider.
Would the flow be different If i want to authenticate both internal
(associates with AD credentials) and external users (end customers not
in our AD)
There is no difference. If you don't set up direct sign-in, all the user will see the first page for the user to choose the provider, and then will redirect to the related provider login page.
You have to create a B2C directory and create a web app there, then you can create Signin or Sign Up Policy. Once you are able to create that, open it and select the web app you have created and a redirect url to which you want your user to redirect to afetr successful login. Now hit the Run Now button at the bottom of the policy page. You should see a login page. If you are using it for the 1st time, you have to sign up otherwise you can signin directly. That will do for you.
There is no diff if you are signing in a user who has the ad credentials or not. They still have to signup in the b2c directory for the 1st time as the user profile they have is for the Azure AD directory and not for Azure AD B2C.
There is one thing to consider in min, what type of Authentication you want to follow, OpenId or EasyAuth.
You can test these things out and that should solve your problem. If you still face any challenge, you can let me know here.
Sign-in with Microsoft identity provider fails, works with others
I have an Azure AD B2C tenant with a SingIn and SignUp policy that I hope to use
for user management with an Angular2 SPA.
The policy is configured for three identity providers:
Google
Microsoft
Email Signup
When I use the Run Now button in the Azure portal to run this policy, I get the default Sign In dialog, and I can sign in with either Google or Email signin. (By that I mean I get re-directed to my app's redirect page as I expect.) However, when I try to sign in using the Microsoft
provider, I end up at an error page with the following address:
https://login.live.com/err.srf?lc=1033#error=invalid_request&error_description=The+provided+value+for+the+input+parameter+'redirect_uri'+is+not+valid.+The+expected+value+is+'https://login.live.com/oauth20_desktop.srf'+or+a+URL+which+matches+the+redirect+URI+registered+for+this+client+application.&state=StateProperties%3deyJTSUQiOiJ4LW1zLWNwaW0tcmM6NDcyMmQyNjItOTk1Yi00YTJlLWFmNWUtODkwNDgyODlhMzM0IiwiVElEIjoiM2Y2ZDVmNjAtMDdiNC00ZDA3LWEyZDItN2U3YWQwOWRhOGQ5In0
I see that the problem is related to an invalid redirect_uri. But I thought the redirect_uri was an application-level setting shared by ALL identity provders that I have configured. Why does my redirect_uri setting work for Google and Email signup, but not for Microsoft?
You have to configure your Microsoft application with the right redirect URL.
As stated in the documentation:
Enter https://login.microsoftonline.com/te/{tenant}/oauth2/authresp in the Redirect URIs field. Replace {tenant} with your tenant's name (for example, contosob2c.onmicrosoft.com).
Why you have to do this: (courtesy of Chris Padgett)
The redirect URI that is configured in the Azure AD B2C Portal represents the reply address for your client application. This is so Azure AD B2C can return an ID token to your client application. The redirect URI that is configured in the Application Registration Portal represents the reply address for your Azure AD B2C tenant. This is so the Microsoft Account identity provider can return a security token to your Azure AD B2C tenant.
So, your app is federating authentication to Azure AD B2C.
B2C then further federates to the Microsoft Account identity provider.
So when a user a logs in with a Microsoft account, they are sent back to B2C with a token, which B2C validates.
If all is okay, they are signed in to B2C, and sent back to your app.
So you see that from the point of view of the MSA identity provider, B2C is the client.
So the redirect URL there must point to B2C.
As the document stated, you should Enter https://login.microsoftonline.com/te/{tenant}/oauth2/authresp in the Redirect URIs field.
But I thought the redirect_uri was an application-level setting shared
by ALL identity provders that I have configured. Why does my
redirect_uri setting work for Google and Email signup, but not for
Microsoft?
You're right, the redirect_uri is an applicaiton-level sttings. It should be same in all IDPs redirect URIs. But this Redirec URI is set by Azure. NOT your applicaiton. It means that your can use other IDPs to login to your app with AAD B2C, NOT login to your applicaiton directly. So, the redirect_uris must be https://login.microsoftonline.com/te/{tenant}/oauth2/authresp, not the redirect_uri in your application itself.
URI doesn't equal URL. The redirect URI is just a unique identifier to which Azure AD will redirect the user-agent in an OAuth 2.0 request. It's not redirect URL, Azure AD authentication endpoint https://login.microsoftonline.com/ use redirect URIs to check where it should be responsed. Aslo, it can be same as the URL as the endpoint. Here should be the same I guess.
Summary, you need use the unique redirect URI https://login.microsoftonline.com/te/{tenant}/oauth2/authrespfor all IDPs , not just Microsoft account.
Hope this helps!