Azure AD B2C now supports SPAs. But is this supported by Angular? While implementing Azure AD (not B2C) I found a file adal-angular.js. I can inject its services, call its extended end points and get my way done.
Is there any file for Azure AD B2C? Or adal-angular.js works for Azure AD B2C too? Please correct me if anything I wrote above is wrong.
adal-angular.js will only work for non-converged AzureAD apps (apps that are registered in the Azure Portal AzureAD Blade). AzureAD B2C apps are converged so this library will not help you.
AzureAD B2C does in fact support SPA's using the open source library hello.js. Here is a SPA code sample. There is not currently any Angular code samples for AzureAD B2C, but as an oAuth 2.0 service you should be able to hook up almost any open source Angular oAuth2.0 library that supports implicit flow.
We just released our solution to integrate Angular with AAD B2C: https://github.com/3DSemantix/angular-asp.net-core-aad-b2c
The "SPA code sample" from MS is a bit weird when I looked at it (refreshing the token feels hacky).
Related
Hello Everyone,
I have an Azure AD application with MS Graph's authorizations for get users or calendars.
And i have a B2C tenant with an application and a user flow. the B2C authentification working well in my blazor app, but my B2C Application haven't access at MS Graph's authorizations from my AD Application.
I have trying to make custom scope and declare it in my B2C app or use API connector but nothing work.
I give you screenshots of my AD application and my B2C application:
My AD Application :
API Exposed
API Authorization
If you have a solution or an idea to test...
Thank you in advance..
(Moving from Comments to Answer)
The two screenshots you provided are from AD, and AD tenants and B2C tenants are different. You cannot use applications in the b2c tenant to access resources in the AD tenant.
In addition, for Azure AD b2c applications, it cannot use MS Graph, but can only use AAD Graph, see: here and here.
I am trying to use Azure AD B2B for authorization code with PKCE flow in my ReactJS app. I have searched in google all examples are with angular and with azure b2c. Couldn't find a working sample with ReactJS with azure b2b. Can anyone guide me how to use PKCE flow with Azure B2B and ReactJS app.
Thanks
Look at samples using MSAL for React.js, e.g. this one. The only special wrt to allowing B2B users is to make sure you do not use the /common endpoint when redirecting to AAD but. identify the specific tenant you want to use, e.g. login.microsoftonline.com/contoso.com. Other than that AAD does not care whether you are authenticating a local or B2B user.
Scenario:
(Azure-hosted) Web App. Users should be able to sign in to my app using a Microsoft Account (i.e. #live.com, #hotmail.com, etc accounts) that has one or more Azure subscriptions. The application would then allow them to view and manage their Azure resources in specific ways through my app.
Points of confusion/frustration:
ADAL vs MSAL for authentication
Azure AD vs Azure AD B2C for the tenant hosting the application
Where do you register the tenant app? In the AD B2C under "App Registrations"? In a regular AD under "App Registrations (Preview)"? On the App Registration Portal (i.e. apps.dev.microsoft.com)?
Which of the above client ID & secret do you use in the web app (in the .config file)?
The documentation for none of these seem to cover the scenario end-to-end and most of it is completely out of sync with other developments.
I am hoping here to get some point of guidance from other developers that have actually gone through this journey themselves (rather than folks that just read the documentation). In specific, I am hoping to get answers from the Azure CXP team that monitors these questions and provides official & supported answers.
Your scenario requires access to Azure APIs, thus you have to make the logins against "regular" AAD, not B2C.
You can't make your logins against MSA accounts directly as they must be members of an AAD to have access to subscriptions.
You can use either ADAL or MSAL to handle the authentication.
Note you must use v2.0 endpoint for MSAL and the "v1" endpoint for ADAL.
See limitations of the v2 endpoint here: https://learn.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison.
You register it under Azure portal -> Azure Active Directory -> App registrations.
You can also use the preview version if you want.
You will need the application id (= client id) + a key (secret) from the app registration.
Lets say, an organization uses Azure AD B2C for their IAM needs and their APIs are protected by AD B2C. Any client application that needs to obtain tokens from Azure AD B2C can utilize the client library [MSAL] to interact with IAM.
This mandates the organisation to suggest using MSAL to their partner or independent client App developers. In this case if the organisation do not want their developers/partners to know that they are using azure AD B2C, what will be the right approach? Should they build their own custom client libraries? Or are there any other suggestions?
Could you not just instruct them that you use OpenId Connect or OAuth and point them to your metadata URL? Let them then decide on the library they would like to use.
In this case if the organisation do not want their developers/partners to know that they are using azure AD B2C
I don't think you can fully hide that. Even w/ custom domains, your fully qualified tenant name is in the URL your-tenant.onmicrosoft.com.
OIDC Well known configuration URL example:
https://login.microsoftonline.com/spottedmahnb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_SO-Herbener
That said, OAuth 2 and SAML so any library that supports that those technologies support B2C 😊. For example, here's a SPA sample that uses Hello.JS.
This is my scenario: Client Windows Forms app authenticates with Azure AD and uses the access token to access several web api services. Until now, I was using the endpoint 1 and using the Azure portal to register both apps. It seems like there's a new way now, but I'm a little lost here.
For starters, it seems like both apps (client and server) can be registered in the same app in the new apps portal (https://apps.dev.microsoft.com). I do see a place to add platforms and I have added entries for the native and web api. But where do I go from here? For instance, in the azure portal, I must configure the client app in order for it to call the web api services. How do I that here?
Is there a complete sample for this scenario like the one we have to ADAL (https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-code-samples#native-application-to-web-api)?
Thanks,
Regards,
Luis
Please firstly refer to this document to know what's different about the v2.0 endpoint .When you build applications that integrate with Azure Active Directory, you need to decide whether the v2.0 endpoint and authentication protocols meet your needs. Please see the limitations of azure ad v2.0, such as you can use the v2.0 endpoint to build a Web API that is secured with OAuth 2.0. However, that Web API can receive tokens only from an application that has the same Application ID .
The v2.0 endpoint does not support SAML or WS-Federation; it only supports Open ID Connect and OAuth 2.0 ,To better understand the scope of protocol functionality supported in the v2.0 endpoint, read through OpenID Connect and OAuth 2.0 protocol reference.
You could refer to document how to call a web API from a .NET web app with Azure AD V2.0 (using MSAL to acquire and use access tokens), and here is the code sample on Github . The document includes how to add basic sign-in to a web app or how to properly secure a web API in azure ad v2.0 .