Search code examples
openidazure-ad-b2cblazor

Azure B2C - Issuer (Azure AD) access token in Blazor

I have a multitenant app that uses B2C as the identity management system which we have configured Azure AD Multitenant as per doc (https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-multi-tenant-custom?tabs=applications) using custom policies.

We have a few requirements when a user uses Azure AD to login:

  1. Retrieve the user's profile picture from Azure AD (via graph api) to show within the app
  2. Retrieve the Azure AD tenant Name, to show in the app, as per Azure AD best practices.
  3. Read the directory users so that a user can add other users to the app.

I'm trying to just get number 1 working as this will point me in the right direction for the rest.

First, I tried getting the issueridpaccesstoken passed through as per (https://learn.microsoft.com/en-us/azure/active-directory-b2c/idp-pass-through-custom), but this bloats the initial login of the user so much that I get the dreaded 400 headers too long error. Spent a few days trying to troubleshoot that, which seems to every time point to a resolution of "Clear your cookies"... but in this case that actually doesn't work. The cookies aren't actually that many, and nowhere does it seem that the header overflow can be fixed. Also, I would prefer to not receive the access token and call graph api directly from my front end, but rather from my .net core webapi back end and proxy the picture or any other Graph API operations I want to do. To achieve that, I looked at application based auth with the back end api, but it seems that it is also quite a long haul to get this working with multiple admin consents, etc later on in the app, which I would rather do on initial login of the user from the front end.

I have looked at multiple solutions, looking at creating an identity daemon, scoured the internet for options.. however it seems that something that should be simple, is overly complex.

which get's me to my questions:

  1. Is it possible to not pass through the issuer access token in B2C, but request an access token later, when needed? How would I do this from my back end API?
  2. If above isn't possible, has anyone been able to pass through the issuer access token and not get the headers too long error? are there any samples out there that that explains how to do this, both in the custom policies of B2C, and handling that access token in code when it get's received? I've tried to remove some claims being returned from Azure AD, and B2C itself, but it seems I'm not able to lean down the claims enough in order to not cause the overflow.
  3. How do you securely manage that token in your front end if the only option is to pass it through?

Thanks very much in advance!

Solution

  • Don't store tokens in the front-end. Call MS Graph from your API using client credentials flow. Take a look at Get access without a user for more information.

    You can do all 3 requirements calling the following endpoints with the minimum required permissions:

    1. Get photo using User.Read.All application permission.
    2. Get organization using Organization.Read.All application permission.
    3. List users using User.Read.All application permission.