20

I am looking for a way to authenticate a user by username/password in a headless manner for Azure AD b2c. Azure AD b2c is great but we feel the redirects for logins can lead to confusion among customers (and sometimes even prevented by some browsers). Also we want to be in full control of the customers UX experience.

I have researched ADAL and the Graph API but have not found anything yet.

Gina

Gina Marano
  • 1,773
  • 4
  • 22
  • 42

6 Answers6

10

As mentioned here, you can use Azure AD Apps for the Client Credential Flow for Service Accounts. It is not optimal but it works.

  1. Define an Azure AD App for the Web API
  2. Define an Azure AD App per Service Account
  3. Configure the Web API to accept tokens from your B2C Tenant and Azure AD
  4. Request an access token against the Service Account AD App for the Web API

Note: be sure to create the Azure AD Apps under your B2C Tenant.

Code Snippet to get an Access Token from C#

using (var httpClient = new HttpClient())
{
    httpClient.BaseAddress = new Uri("https://login.microsoftonline.com");

    var content = new FormUrlEncodedContent(new[]
    {
          new KeyValuePair<string, string>("grant_type", "client_credentials")
        , new KeyValuePair<string, string>("client_id", "[service account app id e.g. 10d635e5-7615-472f-8200-a81d5c87c0ca")
        , new KeyValuePair<string, string>("client_secret", "[client secret defined in the service account e.g. 5L2ZJOBK8GI1wRSgGFooHcBkAOUOj65lQd9DgJxQOrw=]")
        , new KeyValuePair<string, string>("scope", "[App ID URI of the web api azure ad app]/.default e.g. https://my-b2c-tenant.onmicrosoft.com/my-azure-ad-ap/.default")
    });

    var requestResult = await httpClient.PostAsync("/[your b2c tenant].onmicrosoft.com/oauth2/v2.0/token", content);
    var contentResult = await requestResult.Content.ReadAsStringAsync();

    var json = JObject.Parse(contentResult);
    var accessToken = (string)json["access_token"];
}

App ID URI

app id uri screenshot

You will probably want to define some custom claim(s) to secure the Web API. See 'Application Permissions' here.

  1. Modify the application manifest on the Web API Azure AD App

    {
    "appRoles": [{
            "allowedMemberTypes": [
                "Application"
            ],
            "displayName": "Some display nane",
            "id": "[create a new guid]",
            "isEnabled": true,
            "description": "Allow the application to _____ as itself.",
            "value": "the-blah-role"
        }
    ]
}

  2. Grant the Service Account Azure AD App permission to the custom application permission(s) defined

The permissions granted to the service account will come back in the roles claim:

{
  "roles": [
    "the-blah-role"
  ]
}

Please upvote the user voice feedback item to make this easier

spottedmahn
  • 14,823
  • 13
  • 108
  • 178
  • Is the [App ID URL] an endpoint uri or a scope uri e.g. https://test.foo.dom or https://www.foo.com/some-scope? – Paul Hatcher Jul 09 '18 at 16:34
  • 1
    @spottenmahn - Thanks, mine's working now - just having a go to see if I can do this with the ADAL library as well – Paul Hatcher Jul 10 '18 at 09:30
  • @spottenmahn How did you validate the token at the WebApi layer - it's issued with a different authority than the interactive logins and so doesn't validate? – Paul Hatcher Jul 23 '18 at 08:23
  • @PaulHatcher not sure which WebAPI stack spottedmahn is using but looks like ASP.Net Core does not support multiple authentication providers out of the box https://github.com/aspnet/Security/issues/1847#issuecomment-416644452 – GGirard Oct 04 '18 at 23:07
  • ASP.NET Core Docs: [Use multiple authentication schemes](https://learn.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme?view=aspnetcore-2.2&tabs=aspnetcore2x#use-multiple-authentication-schemes) @PaulHatcher – spottedmahn Feb 20 '19 at 19:35
7

It is not currently possible to run Azure B2C without an interactive user present. While I am sure it will arrive at some point, at present, you can't create back-end applications based on B2C.

According to the Azure Active Directory B2C preview: Limitations & Restrictions

Daemons / Server Side Applications

Applications that contain long running processes or that operate without the presence of a user also need a way to access secured resources, such as Web APIs. These applications can authenticate and get tokens using the application's identity (rather than a consumer's delegated identity) using the OAuth 2.0 client credentials flow. This flow is not yet available in Azure AD B2C preview - which is to say that applications can only get tokens after an interactive consumer sign-in flow has occurred.

Community
  • 1
  • 1
Michael B
  • 11,887
  • 6
  • 38
  • 74
  • 2
    I keep hoping that the document is out of date and they would release this feature. – Gina Marano Jan 28 '16 at 21:47
  • It would be nice if they'd get a move on and finish it! – Michael B Jan 28 '16 at 21:51
  • I'm assuming that @ginalster use case is slightly differently (like mine). In that, he has the user available to authenticate (provide username and password) but he doesn't want to execute this via the redirect url. i.e. he wants to build the whole user experience on his application – Mike Jun 13 '16 at 15:07
  • I would assume, the client credential flow (indicated in the Limitations & Restrictions) is likely to be using Client ID and Client Secret rather the username and password. – Mike Jun 13 '16 at 15:09
  • 1
    @Mike In fact, ClientCredentials is for Backend authorization AFAIK. UserCredentials is for FrontEnd/Mobile authorization. – Konstantin Jul 07 '16 at 19:20
  • take a look at Microsoft Graph bindings for Azure Functions https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-microsoft-graph – Tiago Andrade e Silva Jan 24 '18 at 07:47
  • 1
    Is user sign up possible in a non-interactive way through AADB2C? – Technoshaft May 24 '18 at 14:52
0

If what you want is headless authentication, why don't you simply use Azure AD alone? It has an API. And if you intend to create and manage all the UI yourself, why would you want or need AD B2C?

David Allen
  • 829
  • 7
  • 15
  • 3
    As far as I know, Azure AD only supports domain specific email addresses (johndoe@mydomaincom) not the customer's specific email address (janedoe@hotmail, janedoe@somedomain.net...) . I would hope that Azure AD B2C would soon allow true API authentication/control. Other CIAM services, like LoginRadius, already allow this. – Gina Marano Feb 03 '16 at 18:15
0

Azure AD B2C cannot offer headless authentication but combining custom journeys
vanity domains and custom styling its possible for users to never leave your site

whatisthejava
  • 481
  • 3
  • 12
0

What you are looking for is OWIN's resource owner password credentials in azure AD b2c. You can refer https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/13817784-add-support-for-resource-owner-password-credential and upvote for this feature to be implemented

Karthikeyan VK
  • 5,310
  • 3
  • 37
  • 50
  • 1
    After reading this: [Why the Resource Owner Password Credentials Grant Type is not Authentication nor Suitable for Modern Applications](https://www.scottbrady91.com/OAuth/Why-the-Resource-Owner-Password-Credentials-Grant-Type-is-not-Authentication-nor-Suitable-for-Modern-Applications) it would seem, Client Credential Flow is the more appropriate flow. – spottedmahn Feb 28 '18 at 19:21
  • 1
    They now have this. [Instructions are here](https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-ropc) – spottedmahn May 17 '18 at 19:40
0

Still in preview (as of Jan 2018) but might be what you're looking for if you're using Azure Functions. Take a look at Microsoft Graph bindings for Azure Functions

Tiago Andrade e Silva
  • 976
  • 5
  • 11