Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
431 views
in Technique[技术] by (71.8m points)

headless authentication Azure AD b2c

I am looking for a way to authenticate a user by username/password in a headless manner for Azure AD b2c. Azure AD b2c is great but we feel the redirects for logins can lead to confusion among customers (and sometimes even prevented by some browsers). Also we want to be in full control of the customers UX experience.

I have researched ADAL and the Graph API but have not found anything yet.

Gina

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

As mentioned here, you can use Azure AD Apps for the Client Credential Flow for Service Accounts. It is not optimal but it works.

  1. Define an Azure AD App for the Web API
  2. Define an Azure AD App per Service Account
  3. Configure the Web API to accept tokens from your B2C Tenant and Azure AD
  4. Request an access token against the Service Account AD App for the Web API

Note: be sure to create the Azure AD Apps under your B2C Tenant.


Code Snippet to get an Access Token from C#

using (var httpClient = new HttpClient())
{
    httpClient.BaseAddress = new Uri("https://login.microsoftonline.com");

    var content = new FormUrlEncodedContent(new[]
    {
          new KeyValuePair<string, string>("grant_type", "client_credentials")
        , new KeyValuePair<string, string>("client_id", "[service account app id e.g. 10d635e5-7615-472f-8200-a81d5c87c0ca")
        , new KeyValuePair<string, string>("client_secret", "[client secret defined in the service account e.g. 5L2ZJOBK8GI1wRSgGFooHcBkAOUOj65lQd9DgJxQOrw=]")
        , new KeyValuePair<string, string>("scope", "[App ID URI of the web api azure ad app]/.default e.g. https://my-b2c-tenant.onmicrosoft.com/my-azure-ad-ap/.default")
    });

    var requestResult = await httpClient.PostAsync("/[your b2c tenant].onmicrosoft.com/oauth2/v2.0/token", content);
    var contentResult = await requestResult.Content.ReadAsStringAsync();

    var json = JObject.Parse(contentResult);
    var accessToken = (string)json["access_token"];
}

App ID URI

app id uri screenshot


You will probably want to define some custom claim(s) to secure the Web API. See 'Application Permissions' here.

  1. Modify the application manifest on the Web API Azure AD App

    {
        "appRoles": [{
                "allowedMemberTypes": [
                    "Application"
                ],
                "displayName": "Some display nane",
                "id": "[create a new guid]",
                "isEnabled": true,
                "description": "Allow the application to _____ as itself.",
                "value": "the-blah-role"
            }
        ]
    }
    
  2. Grant the Service Account Azure AD App permission to the custom application permission(s) defined

The permissions granted to the service account will come back in the roles claim:

{
  "roles": [
    "the-blah-role"
  ]
}

Please upvote the user voice feedback item to make this easier ??


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...