I've been trying to find how Azure B2C handles the token refresh when there is a third party IDP involved.
So, let's say I have an Azure B2C tenant, and I have added an identity provider configuration for a customer. Let's say that all users with the @customer.com email are redirected to 'Customer's' IDP for authentication. Lets say I have a mobile application which uses Azure B2C to obtain access and refresh tokens for an API that we own.
When the user accesses the mobile app for the first time, the mobile app redirects the user to Azure B2C. If there is no external identity provider involved, the user will login with a username and password to the local Azure B2C directory, and Azure B2C will return an access token and a refresh token to the mobile app. The mobile app will use the access token to access the backend API. When the access token expires, the app will submit the refresh token to Azure B2C to obtain a new access token and new refresh token. This much I understand.
Now, when we add an external identity provider, the mobile app redirects the user to Azure B2C, and then the user is redirected to the external IDP where they authenticate. A token is submitted back to Azure B2C authenticating the user, and Azure B2C issues an access token and refresh token to the mobile app. When the access token expires, the mobile app will submit the refresh token back to Azure B2C to obtain a new access token.
Now, I have the following questions:
- Does Azure B2C connect back to the external IDP to verify the account status has not changed? If the account is disabled at the external customer's IDP, then Azure B2C should not issue a new access token.
- If the external IDP (and underlying directory) has an update, such as to email address, or name of the user, how is that information going to be reflected in the refreshed token issued to the mobile app?
- If Azure B2C does reach back out to the external IDP each time the B2C token is refreshed, what protocol does B2C use? Does it use OAuth and maintain it's own refresh token to the external IDP? Or, does it use Open ID Connect, and reinitiate the initial login process every time with the external IDP? If the latter, and there is no valid cookie or valid session at the external IDP, the user will have to go through a login or SSO flow on their external IDP again.
Ideally, I would like to have the external IDP dictate the lifetime of access tokens and refresh tokens by copying these claims from the external token to the Azure B2C issued token. I would like Azure B2C to make a roundtrip back to the external IDP each time the B2C token is refreshed, in order to insure the access is still valid, and that if any of the user's information changed it is reflected downstream in our apps. I also want the user of the mobile app to only have to login the one time (using refresh tokens), until the user's external IDP dictates that the token is no longer valid. Is this possible?
