B2C - Sign in with Google account not showing - google-oauth

We are in the process of setting Google OAuth to Azure B2C. What are the values to pass for client id and client secret when adding Google as identity provider. See this image: Configure Google as Identity Provider
When users run, sign up and sign in user flow, they are not getting the Sign in with Google option. How to get this?

To get the values of Client ID and Client secret, you need to create one Google application as mentioned in below reference.
I tried to reproduce the same in my environment and got below results:
I created one Google application by following same steps in that document and got the values of Client ID and Client secret like this:
Go to Google Developers Console -> Your Project -> Credentials -> Select your Web application
I configured Google as an identity provider by entering above client ID and secret in my Azure AD B2C tenant like below:
Make sure to add Google as Identity provider in your Sign up and sign in user flow as below:
When I ran the user flow, I got the login screen with Google like below:
After selecting Google, I got consent screen as below:
I logged in successfully with Google account like below:
Reference:
Set up sign-up and sign-in with a Google account - Azure AD B2C

Related

How to login into Google workspace using OIDC with my own identity provider

I am building an SSO system for android where I am the identity provider. And I want users to sign in from my app that will automatically log them in to google workspace (or any other enterprise application e.g salesforce). I cannot figure out what and how to send identity values from my Idp to Google workspace.
This can't be done this way round. When a user signs in to your app she can't be automatically signed in to any other application. The options that you have are:
When a user signs in to your application you can ask Google for an access token. As part of your sign-in process, you can run an OAuth flow against Google Authorization Servers and ask for proper permissions. This will allow the user to additionally log in to their Google account, consent to release information to your app and you will then get an access token that will enable you to call Google's APIs. This way your users will have to log in twice (both to your app and to Google).
You can rely on Google to log users into your app. So, Google will be the OIDC Provider and your app will only be the client. People will log in to their Google account, and you will get an ID token in return. You can use the data from the ID token to create user accounts and sessions in your app.
In the first case, you will want to have a look at OAuth flows, like the code flow. In the latter, you will need OIDC flow, e.g. the OIDC code flow.

Azure Function App Authentication Sign In

I am currently working on a function app and would like to understand more on the built in authentication using Microsoft as the identity provider. I have created an app registration as per this guide but upon testing the authentication in a browser, I have been redirected to login.microsoftonline.com/common instead of login.microsoftonline.com/. Is that the expected behavior?
For your function app, in the Authentication blade, check what is being displayed for Issuer Url for the Microsoft Authentication provider. If you have configured to authenticate users from your organization's Azure AD, then that will be the tenant ID, and the url should be login.microsoftonline.com/<guid of tenant>. It depends on what you chose for your target audience, refer here.

How to migrate federation identity from Auth0 to Azure AD B2C?

Federation identity are like sign up with Google, or sign up with Facebook. I want to migrate from Auth0 to Azure, but the problem is I can't find any proper documentation that explains what happen to those users who signed up using their Google or Facebook account.
There are good documentation for username and password users, but there is not anything special for federation identity users.
Does anyone know how to migrate them?
I have the same question for Amazon Cognito and other alternative services
This is not always straightforward, because some IdPs issue a different UUID per Application Registration. If you can re-use the exact same Application Registration at Facebook, for example, with AAD B2C, then this can be fairly easy.
There is an example here:
https://github.com/azure-ad-b2c/samples/tree/master/policies/link-local-account-with-federated-account
All you need to do is pre-create the Local accounts in AAD B2C, and provide the expected UUID from the federated IdPs token to the Local account user object in AAD B2C. AAD B2C can then link the account when the user comes in with that Facebook account.

How to Authenticate to Azure Active Directory Graph API on a Users behalf?

I have setup an AD in Windows Azure and created some users as well. I have also registered/created an application inside AD for third party application to access API(using Client and Secret ID).
I have followed the steps listed in the below links for authenticating to Graph API :
Authenticating to the Graph API
Getting an Application ID and Password for Authenticating to the Graph API
But when i tried with my client and Secret ID i am getting "Invalid Client error" message .
Error validating credentials. Invalid client secret is provided.
Also is it possible to Authenticate to Graph API on a Users behalf (By providing Client Credentials of a User inside AD).
Any help is appreciated.
The response from Azure ActiveDirectory will contain an id_token that contains the user's email in the UPN field. If you use the ADAL library or the libraries from Office 365 API tools http://blogs.msdn.com/b/officeapps/archive/2014/03/12/announcing-office-365-api-tools-for-visual-studio-preview.aspx, this information is available in the object model.

I want to authenticate an admin using OAuth2 and access data for accounts that are under this admin

I want to authenticate an admin using OAuth2 and access data for accounts that are under this admin.
Primarily something like this, I have an organisation : A --> B, C, D where A is the admin.
If i authenticate A can i access data from B,C,D.
We were able to do this in OAuth1.0 and appending email ids in request URL's.
How do we achieve it in OAuth2.0 ?
(assuming your users are under a Google Apps domain)
This can be achieved in OAuth 2.0 using service accounts. You need to:
Create a service accounts and download private key.
Delegate domain-wide authority to your service account (see the link below for instructions).
Use a signed assertion requesting access to the users data to receive an access token for use in subsequent API calls.
See here for an example using Google Drive API:
https://developers.google.com/drive/delegation
See also the "Additional Claims" section here:
https://developers.google.com/accounts/docs/OAuth2ServiceAccount#jwtcontents