Search code examples
openidazure-active-directoryadalazure-ad-b2casp.net-core-2.0

Connecting Azure AD B2C tenant policies to a registered app

I am trying to find out why a .NET Core 2.0 Web App with OpenID Connect authentication using ADAL that connects to Azure AD B2C doesn't communicate with my Azure AD B2C tenant configuration, and most importantly the sign in policies. My app is very similar to this one, except that I use Azure AD Graph.

My "authority" for AuthenticationContext is https://login.microsoftonline.com/organizationname.onmicrosoft.com

Due to this, user is forced to login with Microsoft account or a mail with tenant domain, where I'd like the user to login with his personal tenant account. Shouldn't the policies be applied automatically? I feel like I might be missing something important here.

The app sits in registered apps in Azure and has all the permissions needed.

I basically need to connect the policies from that tenant to my app's authentication system so it will accept local tenant accounts and not just those from Microsoft.

Or to put it in even simpler words: How to I add the part in the red circle to the url?

enter image description here

Solution

  • The sample you referenced is for regular Azure AD.

    Check out this sample for Azure AD B2C with .Net Core 2.0, in particular OpenIdConnectOptionsSetup.cs and AzureAdB2COptions.cs.

    Key things to keep in mind:

    • The authority has the following format: https://login.microsoftonline.com/tfp/<yourtenant.onmicrosoft.com>/<default_policy>/v2.0 though the sample I referenced builds this automatically for you. By using this authority, the OWIN middleware and MSAL will both automatically pickup the ?policy=b2c_1_x parameter from the metadata endpoint.

      public AzureAdB2COptions()
{
    AzureAdB2CInstance = "https://login.microsoftonline.com/tfp";
}
//...other init code
public string Authority => $"{AzureAdB2CInstance}/{Tenant}/{DefaultPolicy}/v2.0";

    • You should use MSAL for your token redemption, not ADAL.

      public async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext context)
{
    var code = context.ProtocolMessage.Code;

    string signedInUserID = context.Principal.FindFirst(ClaimTypes.NameIdentifier).Value;
    TokenCache userTokenCache = new MSALSessionCache(signedInUserID, context.HttpContext).GetMsalCacheInstance();
    ConfidentialClientApplication cca = new ConfidentialClientApplication(AzureAdB2COptions.ClientId, AzureAdB2COptions.Authority, AzureAdB2COptions.RedirectUri, new ClientCredential(AzureAdB2COptions.ClientSecret), userTokenCache, null);
    try
    {
        AuthenticationResult result = await cca.AcquireTokenByAuthorizationCodeAsync(code, AzureAdB2COptions.ApiScopes.Split(' '));
        context.HandleCodeRedemption(result.AccessToken, result.IdToken);
    }
    catch (Exception ex)
    {
        //Handle
    }
}