Does Azure B2C support the Client Credentials OAUTH flow. I am trying to implement programmatic (non-interactive) login via Azure B2C.
Yes. Azure B2C supports Resource Owner Password Credential (ROPC) user flow.
Please refer to Microsoft Documentation here.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-ropc
Yes, it supports this. There is an article and example application in the documentation: Azure AD B2C: Use the Graph API.
Related
I'm exposing an API through Azure API Management. In order to call the API from the developer portal, an Authorization header with a bearer access token, issued by an Azure AD B2C instance, needs to be provided.
In the B2C instance, there is a signup/signin userflow (with connector API integration to load custom claims) that should be triggered by the APIM Oauth2 service configured for the API. This would mean that the user flow is triggered from within the developer portal (try it functionality) and the issued token is used to try out the API.
Who can point me in the right direction to get this working?
Remark: this is not an issue about setting up AAD B2C to get access to the developer portal, it is purely about calling our API from the developer portal (try it) with a token issued by our aad b2c instance.
I already tried to configure the b2c authorization endpoint with the signup/signin policy passed as query parameter but without success. I would expected is needed to pass in the policy to be used to ensure the right policy is ran ...
Is it possible to use a generic OAuth 2.0 implementation for both Azure AD authentication and Google cloud OAuth?
msal.js is available for Microsoft Azure AD integration. Is there a common library that can be used to support both Azure AD authentication and Google authentication. Once both authentication providers are supported, user will be able to pick and choose a login. Is this possible?
We have an application hosted on AWS using Cognito Service, with Azure AD acting as the Identity provider. The solution works great with username and password, authenticating against the Cognito user pool.
We now need the above to work for service-to-service call scenario.
The unattended scheduled service will call another service (all hosted in AWS) but will need to authenticate with access token.
I was thinking of using client credential flow. But I could not find an approach which will work for the above scenario (i.e) client credential flow with Cognito using Azure AD as Identity provider.
When I go Azure AD Application Registration and view the endpoints, the oauth2/token endpoint shows up, but I have not figured out how this will work with Cognito.
Does any one know how to implement this?
In cognito if you use client credentials flow, there will not be any federated Identity provider involved. There will be no users so no need to use Azure AD to generate tokens. You will make the access request using Client Id and Client Secret and will be granted an access token that you can use.
https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/
I have an application (Blazor WebAssembly in my case but I believe this scenario applies to other application types as well) that uses the excellent (and convenient) Azure B2C login services to allow my users to register and log in using either a local account or some social accounts. In particular, I am supporting logging in with a Microsoft account. Once a user is logged in using his Microsoft account I want to give the user the option to save content on OneDrive without the user having to provide credentials again to access the Microsoft Graph API.
In the returned claims after logging in using Azure B2C API I see that there is a idp claim (that's how I can determine if the user is logged in using a Microsoft account) and there is also a idp_access_token claim but it is not a valid JWT to use against the Microsoft Graph unfortunately.
What is the nature of the idp_access_token? How can I use it to access the Microsoft Graph and request additional scopes?
Azure AD B2C receives an access token (idp_access_token) from the identity provider. Azure AD B2C uses that token to retrieve information about the user. See details here.
No matter whether idp_access_token claim is a valid JWT, it cannot be used to access Microsoft Graph or other additional scopes. As the document has stated, it is for retrieving information about the user. Usually the embedded IdP access token is used to call the services that the IdP hosts. But Microsoft Graph data is hosted in Azure AD, not Microsoft Account side.
Currently, if you want to call Microsoft Graph API for B2C tenant, you have to follow Azure AD Authentication protocols. For example, OAuth 2.0 authorization code flow.
If you want to call you own API protected by B2C, you should choose Azure B2C Authentication protocols. For example, OAuth 2.0 authorization code flow in Azure Active Directory B2C.
According to this documentation, the on-behalf-of flow is not supported in B2C:
Web API chains (On-Behalf-Of) is not supported by Azure AD B2C.
Many architectures include a web API that needs to call another downstream web API, both secured by Azure AD B2C. This scenario is common in native clients that have a web API back end, which in turn calls a Microsoft online service such as the Azure AD Graph API.
This chained web API scenario can be supported by using the OAuth 2.0 JWT Bearer Credential grant, otherwise known as the On-Behalf-Of flow. However, the On-Behalf-Of flow is not currently implemented in Azure AD B2C.
Can't I just pull out the JWT from the first Web API request and pass it along to the next Web API? I know technically, I can, but is there a reason I wouldn't want to?
This approach would only work if both Web API's are configured for the same B2C App. Maybe that is the difference. Is the documentation referring to 2 separate B2C apps maybe?
Reference: Access the JWT bearer token when using the JWT middleware in ASP.NET Core
The OAuth 2.0 On-Behalf-Of flow is related to a first resource, "https://resourceserver1", receiving an access token from a client; then exchanging this access token for another access token for access by the delegated identity to a second resource, "https://resourceserver2" without any user interaction; and then sending that access token to the second resource.
This Azure AD documentation explains the On-Behalf-Of flow.
Given this, two different applications are necessary for two different resources, which in turn can require two different scopes.
You can vote for this feature at B2C Support for on-behalf-of flow.