I am looking for a way to authenticate a user by username/password in a headless manner for Azure AD b2c. Azure AD b2c is great but we feel the redirects for logins can lead to confusion among customers (and sometimes even prevented by some browsers). Also we want to be in full control of the customers UX experience.
I have researched ADAL and the Graph API but have not found anything yet.
Gina
Azure AD B2C is a white-label authentication solution. You can customize the entire user experience with your brand so that it blends seamlessly with your web and mobile applications. Customize every page displayed by Azure AD B2C when your users sign up, sign in, and modify their profile information.
Azure AD B2C extends the standard OAuth 2.0 flows to do more than simple authentication and authorization. It introduces the user flow. With user flows, you can use OAuth 2.0 to add user experiences to your application, such as sign-up, sign-in, and profile management.
Headless authentication may involve authenticating the user within the merchant's own app, but it also includes cases where a salesperson may initiate the authentication process. Through the process of authentication, merchants are able to securely authenticate the end-user according to EU regulations.
Sign in to the Azure portal. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the Directories + subscriptions icon in the portal toolbar. On the Portal settings | Directories + subscriptions page, find your Azure AD B2C directory in the Directory name list, and then select Switch.
As mentioned here, you can use Azure AD Apps for the Client Credential Flow for Service Accounts. It is not optimal but it works.
Note: be sure to create the Azure AD Apps under your B2C Tenant.
Code Snippet to get an Access Token from C#
using (var httpClient = new HttpClient())
{
httpClient.BaseAddress = new Uri("https://login.microsoftonline.com");
var content = new FormUrlEncodedContent(new[]
{
new KeyValuePair<string, string>("grant_type", "client_credentials")
, new KeyValuePair<string, string>("client_id", "[service account app id e.g. 10d635e5-7615-472f-8200-a81d5c87c0ca")
, new KeyValuePair<string, string>("client_secret", "[client secret defined in the service account e.g. 5L2ZJOBK8GI1wRSgGFooHcBkAOUOj65lQd9DgJxQOrw=]")
, new KeyValuePair<string, string>("scope", "[App ID URI of the web api azure ad app]/.default e.g. https://my-b2c-tenant.onmicrosoft.com/my-azure-ad-ap/.default")
});
var requestResult = await httpClient.PostAsync("/[your b2c tenant].onmicrosoft.com/oauth2/v2.0/token", content);
var contentResult = await requestResult.Content.ReadAsStringAsync();
var json = JObject.Parse(contentResult);
var accessToken = (string)json["access_token"];
}
App ID URI
You will probably want to define some custom claim(s) to secure the Web API. See 'Application Permissions' here.
Modify the application manifest on the Web API Azure AD App
{
"appRoles": [{
"allowedMemberTypes": [
"Application"
],
"displayName": "Some display nane",
"id": "[create a new guid]",
"isEnabled": true,
"description": "Allow the application to _____ as itself.",
"value": "the-blah-role"
}
]
}
Grant the Service Account Azure AD App permission to the custom application permission(s) defined
The permissions granted to the service account will come back in the roles
claim:
{
"roles": [
"the-blah-role"
]
}
Please upvote the user voice feedback item to make this easier 😀
It is not currently possible to run Azure B2C without an interactive user present. While I am sure it will arrive at some point, at present, you can't create back-end applications based on B2C.
According to the Azure Active Directory B2C preview: Limitations & Restrictions
Daemons / Server Side Applications
Applications that contain long running processes or that operate without the presence of a user also need a way to access secured resources, such as Web APIs. These applications can authenticate and get tokens using the application's identity (rather than a consumer's delegated identity) using the OAuth 2.0 client credentials flow. This flow is not yet available in Azure AD B2C preview - which is to say that applications can only get tokens after an interactive consumer sign-in flow has occurred.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With