Referred the following stack overflow post Azure B2C client credentials grant
We are presently using Azure B2C.
I understand that Azure B2C does not support the client credential flow for now.
We have a requirement where an external application (server Application outside our organization) needs to access our resource (api hosted within our organization)
Is there any way we can do this from Azure AD-B2C or would we need Azure AD-B2B for these type of requirements. ?
Currently, your specific scenario -- where you are needing an access token to be issued for access by a daemon or server app to your API app -- isn't supported, however you can register the API app through the “App Registrations” blade of the Azure AD directory for your Azure AD B2C tenant.
You can upvote support for the client credentials flow by Azure AD B2C at:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/18529918-aadb2c-support-oauth-2-0-client-credential-flow
If the API app is to receive tokens from both a web/native app as well as the daemon/server app, then you will have to configure the API app to validate tokens from two token issuers: one being Azure AD B2C and other being the Azure AD directory for your Azure AD B2C tenant.
You should not do this anyway.
Instead, provide a portal for your customers where they can manage api keys.
Implement api keys as a second auth schema in your Api
Related
We have a requirement to integrate ADB2C with OKTA as an external Identity Provider.
OKTA will hold the External users and these users needs to access the applications hosted on Azure.
How do I implement the Integration between AAD B2C and OKTA ?
Thanks for posting your query. In order to integrate OKTA as IDP, kindly follow: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-generic-saml?tabs=windows&pivots=b2c-custom-policy. It has to be added as a SAML IDP
You can configure Azure AD B2C to allow users to sign in to your application with credentials from external social or enterprise SAML identity providers (IdP). When Azure AD B2C federates with a SAML identity provider, it acts as a service provider initiating a SAML request to the SAML identity provider, and waiting for a SAML response. In the following diagram:
The application initiates an authorization request to Azure AD B2C.
The application can be an OAuth 2.0 or OpenId Connect application, or
a SAML service provider.
In the Azure AD B2C sign-in page, the user chooses to sign-in with a SAML identity provider account (for example, Contoso). Azure AD B2C
initiates a SAML authorization request and takes the user to the SAML
identity provider to complete the sign-in.
The SAML identity provider returns a SAML response. Azure AD B2C validates the SAML token, extracts claims, issues its own token, and
takes the user back to the application.
Yes, Azure Active Directory B2C has a free tier for your first 50,000 active users per month (MAU), which you can use for testing purposes. https://azure.microsoft.com/en-in/trial/get-started-active-directory-b2c/
Log in to the Azure portal by using your existing Azure subscription or by starting a free trial. On the left side, click on the New button and search for B2C. Click Create.
Click Create a new Azure AD B2C tenant and fill in all the fields.
Once you are ready click Create and wait for creation of your
directory to finish.
Once your directory is created, a prompt will appear notifying you
your new directory is ready. Click on the link in the prompt to
access your new directory.
The B2C settings blade appears, where you configure and manage your
Azure Active Directory B2C directory.
Thanks
We have a public consumer application for which we use Auth0 as identity platform and through Auth0 we have enabled a couple of social logins to which we now want to add "Login with Microsoft" as an option so that anyone with any type of Microsoft account can login.
Obviously we will need to enable the Microsoft social connection in our Auth0 instance and connect it to a Active Directory Application and Tenant created in Azure.
What I can't seem to find the answer for is which type of tenant we should setup for this, whether we should use a Azure Active Directory tenant with a multi-tenant application or if we should use a Azure Active Directory (B2C) tenant for this?
Thanks for posting your query. As per https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/azure-active-directory/v2#register-your-app-with-azure-ad Azure AD would support for multitenant apps but not with social account (until you plan to send invitation to each user's personal account for Azure AD B2B).
For Microsoft Social accounts Azure B2C would suit your requirement.
On Auth0 Admin Console:
Create a web application in Auth0
Copy the client ID and secret
Add a callback URL from your B2C tenant in given format: https://.b2clogin.com/.onmicrosoft.com/oauth2/authresp
Copy the “OpenID Configuration” URI from advance setting.
On Azure B2C tenant:
Add an Identity provider to B2C, Azure AD B2C > Identity providers > New OpenID Connect Provider
Input “OpenID Configuration” URI you copied in above step to Metadata URL.
Similarly add client ID and Client secret you copied from Auth0.
Complete the claims mapping ref: https://learn.microsoft.com/en-in/azure/active-directory-b2c/identity-provider-generic-openid-connect?pivots=b2c-user-flow#claims-mapping
Hit Save and Auth0 will be saved as IDP in your Azure B2C tenant.
Thanks
I've gathered the following insights since posting my question
Summary
Auth0 Social connection -> Azure Active Directory tenant with an app configured to support "Personal Microsoft accounts"
Auth0 Enterprise connection -> Azure Active Directory tenant with an app configured to support "Accounts in any organisational directory and personal Microsoft accounts"
See guide of different app types here
Details
Since we wanted to support login with any microsoft account (multi tenant + personal) my initial attempt of using an Auth0 Social connection for this was incorrect, since the Social connection will only allow successful logins with personal accounts regardless of how you have setup the App registration in Azure
Auth0 Enterprise connection is the way to go for our case, with an Azure app registation supporting multi tenant + personal accounts. Also when setting the connection up in Auth0, make sure to enable the "Use common endpoint" setting as described here
The Azure Active Directory B2C tenant type is not useful with any of the Auth0 connections as you likely won't be able to get a satisfying consent screen with verified publisher. I'm guessing its just the wrong way of using the B2C tenant, where its supposed to be used the other way around with the Azure tenant being the identity platform optionally integrating applications from Auth0 like in the answer from Mavric20
I am looking to implement Azure AD B2C into my web application for user authentication.
However, I am unsure of the desired practice when you have a separate frontend from backend.
Frontend: React JS web application running on Node.js
Backend: ASP.NET Core 6 API application
Server: Microsoft SQL Server
I would like to also have users / user information stored in the database upon creation. This is because I need to reference these users in several different relational tables.
What is the best workflow with this?
Azure AD B2C is implemented in frontend. When a user is created, an API request is sent to the backend to create the user in the database. If it is successful, a user cookie is created on the frontend for authentication.
Azure AD B2C is implemented in the backend. When a user is submitted in the frontend, an API request is sent to the backend where the Azure AD B2C service creates a user, stores it in the database, and sends a callback to the frontend signifying the action was either successful / unsuccessful, along with a user cookie for authentication.
other
I am new to authentication cookies, and user sessions, so any documentation provided regarding that would be greatly appreciated.
• I would suggest you use ASP .NET MVC 2 or another version as the front-end client and integrate Azure AD B2C tenant and an app registered in it as described in the document below. Once you have the Azure AD B2C tenant registered and the required application for authentication configured, configure the custom policies and user flow accordingly. Once those are done, then secure that application with Azure AD B2C for login and authentication with guest authentication. Then, ensure that your backend application is integrated with Azure SQL or cosmos DB for storing the details of all the users signed in with the Azure AD B2C. For that purpose, you will have to give Azure AD B2C application registration, the required permissions for that concerned Azure resource for allowing to access the same and retrieve the user details from it. Thus, in this way, you can configure your application accordingly.
Kindly refer to the link below for more information and details on configuring the infrastructure for the same: -
https://www.codeproject.com/Articles/1121503/Integrate-Azure-AD-B-C-with-ASP-NET-MVC-Web-App-Pa
https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-authentication-sample-web-app?tabs=visual-studio
Website webapp1.com has registered users with its own IdP implementation.
There are other websites such as webapp2.com, webapp3.com, webapp4.com (different domain).
A logged-in-user user1 of webapp1.com wants to do a SSO login to webapp2.com or webapp3.com or webapp4.com.
user1 has accounts in webapp2.com/webapp3.com/webapp4.com as well.
Is there a way to implement this using Azure AD or Azure AD B2C?
This is possible using PingIdentity.
https://www.pingidentity.com/en/resources/blog/posts/2021/sso-vs-federated-identity-management.html
Tried Azure AD and Azure AD B2C.
There is no documentation found how this could be done.
As long as the web apps connect to the same identity provider/s, the user will get SSO if they visit another app and pass through those same identity providers. With AAD this is the default and only behaviour. With AAD B2C this is the default behaviour, but can be restricted.
I'm trying to figure out the best way to replicate an LDAP sync or a tool like Azure AD connect but for multiple Azure AD tenants to a single Azure AD B2C tenant. When a user is created in an Azure AD tenant it needs to sync over to the Azure AD B2C tenant. I need the user to exist in the B2C tenant before that user ever tries to login so I can't just point to the Azure AD tenant as the IDP. This is because not all of the users of the AD tenants will login but we will want to show the admin of that tenant all the users.
I've reached out to Microsoft's Azure architects but haven't gotten much feedback on the best approach. Looking for any examples or documentation on the best way to achieve this.
One way would be to develop a SCIM service that provides an endpoint for Azure AD to connect to.
The SCIM service would then call the Graph API to perform the user CRUD in B2C.
This is because B2C has no native SCIM support.
There is a Microsoft sample for the service that you could use. Described here.