Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AppAuth with Azure AD B2C

I have configured a B2C service in Azure AD and included Google as an authentication provider only to find that Google disallows authentication requests through an embedded web view. Then I found AppAuth but I'm having much difficulty getting the sample iOS app working.

The issue I'm having is related to the redirect uri. Using the AAD provided redirect uri for native apps results in an error in Safari Mobile. I attempted to add a custom redirect uri that will redirect to my iOS app but can't because it fails validation in the azure ad configuration since it is not in the https url scheme.

Is it possible to use AppAuth with Azure AD B2C? Is there some way to configure this properly or does it require changes on MS side?

EDIT

I have Azure AD B2C setup and working including the Google account login. This works as expected in a web browser, however when I try to log in to Google from iOS using an embedded webview I get disallowed_useragent. Researching this I came across the AppAuth library that I believe is the secure solution of choice except for the fact that it doesn't work with B2C due to redirect issues, or at least I haven't found a way to make this work.

I expect that I need to be able to supply a redirect URL in B2C that is unique to my app on iOS so that the SFSafariViewController can redirect back to my app. Using the web configuration in B2C seems to be the right approach but it requires using the https instead of a custom scheme.

Is there a way to configure B2C for a custom redirect URI?

like image 878
Doug Mitchell Avatar asked Jan 01 '17 18:01

Doug Mitchell


1 Answers

I am the lead maintainer of AppAuth.

As Microsoft currently restricts the redirect URI scheme to https, you have two options on iOS:

  1. Configure a Universal Link for your app, so that it is registered with the OS to handle requests to a particular https domain. This is the most secure option, as it prevents any other apps on the device from attempting to register the same link. However, this option is only available on iOS 9+.

  2. Create an intermediary page that captures the authorization response parameters, and then forwards these on to your custom scheme URI. I maintain an Android demo of doing this, which includes Microsoft integration, here. The intermediary page does, unfortunately, require an additional click from the user.

like image 179
iainmcgin Avatar answered Oct 25 '22 23:10

iainmcgin