Lets say, an organization uses Azure AD B2C for their IAM needs and their APIs are protected by AD B2C. Any client application that needs to obtain tokens from Azure AD B2C can utilize the client library [MSAL] to interact with IAM.
This mandates the organisation to suggest using MSAL to their partner or independent client App developers. In this case if the organisation do not want their developers/partners to know that they are using azure AD B2C, what will be the right approach? Should they build their own custom client libraries? Or are there any other suggestions?
Could you not just instruct them that you use OpenId Connect or OAuth and point them to your metadata URL? Let them then decide on the library they would like to use.
In this case if the organisation do not want their developers/partners to know that they are using azure AD B2C
I don't think you can fully hide that. Even w/ custom domains, your fully qualified tenant name is in the URL your-tenant.onmicrosoft.com.
OIDC Well known configuration URL example:
https://login.microsoftonline.com/spottedmahnb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_SO-Herbener
That said, OAuth 2 and SAML so any library that supports that those technologies support B2C š. For example, here's a SPA sample that uses Hello.JS.
Related
I know Azure AD would probably be pretty good for crediting a enterprise-class application, i.e. something used inside a corp. However what about if I am creating a public facing internet application. I need typical identity components, sign-in, sign-out, etc. Let's just say 10,000 users. Would azure AD be good for this?
I think azure ad b2c will meet the demand.It provides business-to-customer identity as a service. Your customers use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs.You can customize the entire user experience with your brand.Azure AD B2C uses standards-based authentication protocols including OpenID Connect, OAuth 2.0, and SAML. It integrates with most modern applications and commercial off-the-shelf software etc.You can refer to this.
Scenario:
(Azure-hosted) Web App. Users should be able to sign in to my app using a Microsoft Account (i.e. #live.com, #hotmail.com, etc accounts) that has one or more Azure subscriptions. The application would then allow them to view and manage their Azure resources in specific ways through my app.
Points of confusion/frustration:
ADAL vs MSAL for authentication
Azure AD vs Azure AD B2C for the tenant hosting the application
Where do you register the tenant app? In the AD B2C under "App Registrations"? In a regular AD under "App Registrations (Preview)"? On the App Registration Portal (i.e. apps.dev.microsoft.com)?
Which of the above client ID & secret do you use in the web app (in the .config file)?
The documentation for none of these seem to cover the scenario end-to-end and most of it is completely out of sync with other developments.
I am hoping here to get some point of guidance from other developers that have actually gone through this journey themselves (rather than folks that just read the documentation). In specific, I am hoping to get answers from the Azure CXP team that monitors these questions and provides official & supported answers.
Your scenario requires access to Azure APIs, thus you have to make the logins against "regular" AAD, not B2C.
You can't make your logins against MSA accounts directly as they must be members of an AAD to have access to subscriptions.
You can use either ADAL or MSAL to handle the authentication.
Note you must use v2.0 endpoint for MSAL and the "v1" endpoint for ADAL.
See limitations of the v2 endpoint here: https://learn.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison.
You register it under Azure portal -> Azure Active Directory -> App registrations.
You can also use the preview version if you want.
You will need the application id (= client id) + a key (secret) from the app registration.
Iām looking to integrate with a SSO IdP (identity provider) and trying to understand whether AD can serve that role.
I.e., I set up users on AD, users authenticate on a webpage that checks the validity of their password with AD which generates a signed token I can use to log into my app.
Thanks!
Yes, AD can be easily used as an Identity Provider for Single Sign on purpose.
If you're going for it, achieving Web single sign on (SSO) through Microsoft's AD FS (Active Directory Federation Services) would be a good choice.
I'll quote the overview from MSDN Article on Active Directory Federation Services:
Overview
AD FS is a standards-based service that allows the secure sharing of
identity information between trusted business partners (known as a
federation) across an extranet. When a user needs to access a Web
application from one of its federation partners, the user's own
organization is responsible for authenticating the user and providing
identity information in the form of "claims" to the partner that hosts
the Web application. The hosting partner uses its trust policy to map
the incoming claims to claims that are understood by its Web
application, which uses the claims to make authorization decisions.
AD FS is Microsoft's implementation of the WS-Federation Passive
Requestor Profile protocol (passive indicates that the client
requirements are just a cookie- and JavaScript-enabled Web browser).
AD FS implements the standards based WS-Federation protocol and
Security Assertion Markup Language (SAML).
... // follow the link shared above for more information.
We are looking to publish an API in an Azure B2C model where customers will use our app to access API's published using Docker Swarm based Azure Container Services. Our assumption here is that this model will require Azure B2C AD as opposed to Azure AD.
All API calls will have an OAuth token issued from B2C AD.
We want to know what is the best approach to validate the token centrally before it reaches the microservices on Azure Container Service. We were using API Gateway to route the API calls to the correct microservice while also using the WAF capability in the API Gateway. However, we realize that the API Gateway does not provide a way to verify the OAuth token before it forwards the request to the microservices.
Also please note, as per the suggestions in Microsoft Documentation we have two tenants with one tenant running all services such as database and microservice and the second tenant hosting the Azure B2C AD.
Can you please suggest the best option to implement the OAuth Verification without having to implement this in each microservice.
One thing you could do is put Azure API Management Service between your clients and services, there you'd have an option to use validate-jwt policy to inspect tokens and authorize calls.
The following is a quick overview of the steps:
Register an application (backend-app) in Azure AD to represent the API.
Register another application (client-app) in Azure AD to represent a client application that needs to call the API.
In Azure AD, grant permissions to allow the client-app to call the backend-app.
Configure the Developer Console to call the API using OAuth 2.0 user authorization.
Add the validate-jwt policy to validate the OAuth token for every incoming request.
Please refer to the following document for steps in detail.
Azure AD B2C now supports SPAs. But is this supported by Angular? While implementing Azure AD (not B2C) I found a file adal-angular.js. I can inject its services, call its extended end points and get my way done.
Is there any file for Azure AD B2C? Or adal-angular.js works for Azure AD B2C too? Please correct me if anything I wrote above is wrong.
adal-angular.js will only work for non-converged AzureAD apps (apps that are registered in the Azure Portal AzureAD Blade). AzureAD B2C apps are converged so this library will not help you.
AzureAD B2C does in fact support SPA's using the open source library hello.js. Here is a SPA code sample. There is not currently any Angular code samples for AzureAD B2C, but as an oAuth 2.0 service you should be able to hook up almost any open source Angular oAuth2.0 library that supports implicit flow.
We just released our solution to integrate Angular with AAD B2C: https://github.com/3DSemantix/angular-asp.net-core-aad-b2c
The "SPA code sample" from MS is a bit weird when I looked at it (refreshing the token feels hacky).