Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AppAuth with Azure AD B2C

Tags:

azure-active-directory

appauth

I have configured a B2C service in Azure AD and included Google as an authentication provider only to find that Google disallows authentication requests through an embedded web view. Then I found AppAuth but I'm having much difficulty getting the sample iOS app working.

The issue I'm having is related to the redirect uri. Using the AAD provided redirect uri for native apps results in an error in Safari Mobile. I attempted to add a custom redirect uri that will redirect to my iOS app but can't because it fails validation in the azure ad configuration since it is not in the https url scheme.

Is it possible to use AppAuth with Azure AD B2C? Is there some way to configure this properly or does it require changes on MS side?

EDIT

I have Azure AD B2C setup and working including the Google account login. This works as expected in a web browser, however when I try to log in to Google from iOS using an embedded webview I get disallowed_useragent. Researching this I came across the AppAuth library that I believe is the secure solution of choice except for the fact that it doesn't work with B2C due to redirect issues, or at least I haven't found a way to make this work.

I expect that I need to be able to supply a redirect URL in B2C that is unique to my app on iOS so that the SFSafariViewController can redirect back to my app. Using the web configuration in B2C seems to be the right approach but it requires using the https instead of a custom scheme.

Is there a way to configure B2C for a custom redirect URI?

like image 878
Doug Mitchell Avatar asked Jan 01 '17 18:01

Doug Mitchell

1 Answers

I am the lead maintainer of AppAuth.

As Microsoft currently restricts the redirect URI scheme to https, you have two options on iOS:

  1. Configure a Universal Link for your app, so that it is registered with the OS to handle requests to a particular https domain. This is the most secure option, as it prevents any other apps on the device from attempting to register the same link. However, this option is only available on iOS 9+.

  2. Create an intermediary page that captures the authorization response parameters, and then forwards these on to your custom scheme URI. I maintain an Android demo of doing this, which includes Microsoft integration, here. The intermediary page does, unfortunately, require an additional click from the user.

like image 179
iainmcgin Avatar answered Oct 25 '22 23:10

iainmcgin
Sign in to Comment

Related questions

MSAL authentication and authorization from React to Web API
MSI Permissions for Graph API
Change Azure Active Directory "Reply URL" via Powershell command
Azure: Unable to start the sandbox on Azure Training
Invalid signature while validating Azure ad access token, but id token works
How to use passport.js and OpenID Connect strategy with Azure AD
Verify AD or LDAP crendentials via REST API
Get Azure Active Directory Token with username and password
Authorization has been denied for this request - Azure Active Directory - What logs are available?
How To Use Service principal To Assign A Role To Another Service Principal

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!