In Azure AD B2C who provides the ID token?

Question

I am trying to get my head around the concept. You have an azure B2C, and have two external IDP's configured.

I guessed that the ID token was provided by the Azure B2C and not the external IDP which have been configured as external IDP's. However i see that the provided ID token can also be used to other resources which use the same external IDP.

The user simply opens an additional tab to another client (url), and is authenticated.

i would expect that the user was only authenticated in the resource provided by the B2C, while not being authenticated for other resources protected by the same external IDP.

Answer 1

I think what is happening is Single Sign On (SSO) and it has nothing to do with the ID tokens.

What happens when they sign in to your app:

1. App redirects to B2C for authentication
2. B2C redirects to external IdP for authentication
3. User enters credentials in external IdP
4. External IdP creates session for the user, stores cookie in user browser
5. External IdP redirects back to B2C
6. B2C validates response, creates session for the user, stores cookie in user browser
7. B2C redirects to your app with tokens

So now if the user goes to another application protected by the external IdP:

1. Other app redirects to external IdP for authentication
2. Cookie is transmitted automatically and the user is considered authenticated
3. External IdP redirects back to the other application without prompting for credentials

So since a session was already established with the IdP, they get automatically authenticated.