Tuesday, June 14, 2016

Azure B2C : Integrating with Azure "Easy Auth"

I've done a series of posts around integrating applications with Azure AD B2C.

The theme to all of them is that B2C extends OAuth by adding the profiles to the request.

There's an example of this in the sample.

Another solution is to bridge "normal" OAuth and this extension with something like IdentityServer as described here.

And then I came across this article - App Service Auth and Azure AD B2C.

If your application is a web application in Azure (i.e. an app service), you can now integrate with B2C as per the article by using "easy auth".

What this means is that you can add the extended support via a few mouse clicks.

The end result is that your application can now connect directly to B2C without a bridge.

Powerful stuff!

There are a few gotchas as mentioned in the article.

You do not need an Azure subscription to create a B2C directory. However, you do need one to create an app. service that is required to get this to work.

So create another subscription and then map this to the B2C directory.

You can do this in the old Azure portal:

Another gotcha is that when you login to the new Azure portal, you may be in the wrong directory and get all sorts of access denied / rights issues.

You can make sure that you are in the B2C directory by clicking on your login name (top right) and then selecting the B2C directory in the "Directory" section in the drop down.

The third gotcha is to note this sentence "Note that in step 2, you’ll need to use the https address of the web app". If you just use the http address, you get a "URL must be in same domain" error.

Once authenticated, a quick way to see what claims you have is to to look in the trace.

Looking at the token in jwt.io, I see:

Now if you go to the web application and add "/.auth/me" to the URL i.e. something like:


you get the JSON token:



If you take all the social logins that are possible, you start off in IdentityServer with:

Facebook, Google and Twitter

Working up the chain, Easy auth adds:

MSA, Facebook, Google, and Twitter

B2C adds:

MSA, Facebook, Google, LinkedIn, and Amazon

which could all end up in complete confusion :-)


No comments: