How to build protected Web API with Angular and Azure AD B2C ?
I follow: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-web-dotnet/
But I am not sure about using cookie authentication with Web API. Any idea how I should do this ?
Check this post: https://cgillum.tech/2016/08/10/app-service-auth-and-azure-ad-b2c-part-2/
Should bring AD B2C as Authentication Provider of Azure App Service, so next you work with Easy Auth of Azure App Service that support cookie for login.
Above post also include an example for SPA app already.
Related
We have a .Net 6 website that integrates with Azure AD B2C using OIDC. Login and registration for the website are defined in custom policies in the Azure AD B2C tenant. Azure AD B2C returns a claim that we use for user creation and login for existing users.
The client would like the website to integrate with another platform that supports SAML SSO to Azure AD B2C. Basically, if users are signed in to the website, and by extension signed into Azure AD B2C, and they click a link on the website to take them to the other platform then the user should be signed into the other platform.
My question is if we can mix OIDC and SAML in the custom policies so that logging into the website logs the user into the other platform or does it need to be either OIDC start to finish or SAML start to finish.
I have looked into the Microsoft documentation and it explains how to integrate Azure AD B2C with either OIDC or SAML but I couldn't find anything related to integrating Azure AD B2C with separate platforms that use different protocols.
Any help is greatly appreciated.
I am not sure if understand your use-case correctly - are you trying to onboard external partner as identity provider? And their identity provider uses SAML2 protocol?
If yes, you can look at this official page - https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-generic-saml?tabs=windows&pivots=b2c-custom-policy
Basically you need to use custom policy. In a nutshell, custom policy orchestration flow redirects to identity provider, user authenticates with its own credentials. If successfully, the idp issues SAML token, redirects back to B2C.
And then you can process/transform those claims in SAML token, even create reference/federated user in your b2c (add your own attributes/claims in B2C user management portal) and send claims as JWT token back to your app.
Peter
I have an Azure AD B2C in Tenant A. A SPA web app (FE) and an API Functions App (Node.js) in Tenant B.
FE is using MSAL to require login with Azure AD B2C. I want the set up Authentication in the API to accept bearer access token from FE.
How can I configure Azure to achieve that?
The Tenant that has your Azure Subscription which in turn has your resources doesn't really have to be the one used for App Level Authentication. It is just required RBAC.
The App Registrations for both could just be in the Azure AD B2C Tenant directly and you could provide the required details when setting it up like below
Is it possible to use SSO with B2C for following scenario?
ASP.Net Core web app (Razor Pages) that authenticates user in a B2C tenant (local accounts). Using Microsoft.Identity.Web for simplicity:
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("web-AzureAdB2C"));
Hosted Blazor (wasm), where the client authenticates against the same B2C tenant with:
builder.Services.AddMsalAuthentication(options =>
{
builder.Configuration.Bind("app-AzureAdB2C", options.ProviderOptions.Authentication);
options.ProviderOptions.DefaultAccessTokenScopes.Add("some-scope-for-server-api-access");
options.ProviderOptions.LoginMode = "redirect";
});
Authentication works fine for both apps, but user has to login in both.
Both apps are using the same B2C User Flow. Simply enabling the SSO option in Azure Portal for the User Flow does not change anything, user still have to manually sign in in both apps.
I am not sure it can be done simply (implicit vs authorization flow), but I would appreciate any guidance. Many thanks.
I would like to test a locally running web api authorized end point with Postman using AAD B2C with Microsoft account as identity provider.
The web api is running well, I can authenticate from client apps (Web App and UWP app), but I am not able to test it with Postman because can't get a token. Without authorization the Postman works well.
I am using the following guideline:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/azure-ad-b2c-webapi?view=aspnetcore-3.0
The Postman's error message:
Postman's settings:
AAD B2C Applications:
AAD B2C Postman App properties:
AAD B2C Postman App API access:
Can you tell me any idea what's missing?
I can repro your issue. Based on your capture, the Auth URL in postman setting(pic 2) , the host you are using is https://login.microsoftonline.com which will cause redirect uri issue while using MSA identity provider.
To solve this issue , you should use this host: https://{your-tenant-name}.b2clogin.com.
Details see this official doc :
When you set up an identity provider for sign-up and sign-in in your
Azure Active Directory B2C (Azure AD B2C) application, you need to
specify a redirect URL. You should no longer reference
login.microsoftonline.com in your applications and APIs. Instead, use
b2clogin.com for all new applications, and migrate existing
applications from login.microsoftonline.com to b2clogin.com.
Hope it helps .
I've created a mvc web application that uses openid to authenticate with Azure Ad and get the claims along with the token. I'm interfacing with Web Api to do the business transactions. The web Api is configured to oauth bearer tokens.
I've created separate oauth clients in Azure Ad for the Web App and Web Api. I'm able to get a token for Web Api from the Mvc Controller using AuthenticationContext to send to request to Web Api. I need to know how I can send the current User Claims as well to the Web Api. The claims in the Web Api are not having the claims of the User from the Web App.
Let me provide a bit more context here. I've created a MVC Web Application and a Web Api layer. The MVC Web App is configured to use OpenID authentication using Azure AD and I've configured the Web Api layer to authorize using OAuth Bearer tokens. The actions in the Web Api layer will be called through ajax requests and the bearer token will be added to the header of each Ajax requests. When the User is authenticated in the Web App, additional claims are added to the User on top of the claims from Azure Ad. I'm able to create a token for the Web Api layer using AuthenticationContext.AcquireToken, but the token for Web Api does not have the User info from the Web App.
I'm taking a wild stab in the dark here, based on what I think is happening.
Claims are attached the user, so theoretically, any claim you add in one place should be available in the other, as long as both applications share the same user datastore. However, claims are loaded at the point of authentication and not dynamically updated. As a result, if you're already logged in to the web application and you add a claim with your Web Api, that claim will not be available on the web application side until the user is re-authenticated.