Is it possible for an external customer to login via Entra with username-password?

Question

I wanted to use a custom login form in a .NET Core web application in which the users will provide their username and password to login (acquire access token) into a Microsoft Entra External Identities tenant. I have already seen the ROPC flow as presented for the B2C, but its limitations are a stopper for me. Can someone please provide any suggestions if this is possible and how?

Answer 1

I agree with you, an ROPC flow isn't recommended due to security reasons. Hence as a workaround you have to make use of other user interaction flows such as Authorization code flow.

I created an Azure AD Application and granted API permissions:

To authenticate the users, I used the below endpoint:

https://b2caadtenant.b2clogin.com/b2caadtenant.onmicrosoft.com/B2C_1_testb2c/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://b2caadtenant.onmicrosoft.com/xxx/test.read.all
&state=12345

Based on the requirement you can either sign-in or sign-up:

The user will be redirected to the redirect page and an auth code will be generated:

I generated an access token using below parameters via Postman:

https://b2caadtenant.b2clogin.com/b2caadtenant.onmicrosoft.com/B2C_1_testb2c/oauth2/v2.0/token

client_id:ClientID
scope:https://b2caadtenant.onmicrosoft.com/1xxx/test.read.all openid offline_access
grant_type:authorization_code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
code:code

That authorization code flow is achieved through a custom policy, right? I just wanted to use my own custom login form for the user to enter username and password. Is that possible or using this flow will present to the user the Microsoft's login form?

Yes, by default using this flow it will present the user Microsoft's login form. To customize the login form, see this SO answer by me.