1

Is it possible to authenticate a user programatically in Azure AD B2C without using the https://login.microsoftonline.com endpoint?

jmdn
  • 13
  • 7

1 Answers1

3

It's coming but not yet available: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/13817784-add-support-for-resource-owner-password-credential.

Or maybe the UserVoice thread is out of date? https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-ropc

It's a preview feature at the moment, so not exactly recommended for production use. B2C moves forward pretty fast though so I doubt it'll take long to get a proper release.

Do remember that it will only support local accounts, not accounts from e.g. Facebook etc. I also try to discourage people from using this flow as it means the users must give their passwords to your app, instead of the identity provider as normal.

juunas
  • 54,244
  • 13
  • 113
  • 149
  • So currently this is not supported? The only way interact with Azure AD B2C is via redirecting to microsoft.login.com right?. What about Azure Graph Api: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet ? – jmdn Jul 12 '18 at 08:27
  • Right. What about the Graph API? Graph API can be used to query and create users for example but it cannot be used for logging in. – juunas Jul 12 '18 at 08:31
  • see this https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-ropc?WT.mc_id=b2c-twitter-masoucou. – jmdn Jul 12 '18 at 08:34
  • Okay, so the UserVoice thread is out of date? If that is correct, ROPC is indeed supported (as a preview feature) and you can use it for this purpose. – juunas Jul 12 '18 at 08:51
  • Is it recommended to use this feature even tho it is only on preview feature? – jmdn Jul 12 '18 at 08:55
  • Usually preview features are not recommended for production use. – juunas Jul 12 '18 at 09:21
  • Thanks. The link I saw is for Android and IOS. Do you think its also possible with Web app? – jmdn Jul 13 '18 at 03:31
  • It should be, at least it is in regular AAD. I'm curious, what is your scenario that requires you to use this flow? There are valid scenarios, but you really want to avoid this flow if possible since you have to handle passwords and it won't work for users with Multi-factor authentication. – juunas Jul 13 '18 at 05:05
  • I just want to handle the signin/signup etc. via API call without redirecting to any url. – jmdn Jul 13 '18 at 05:20
  • Then you are working around the benefits of federated authentication. I would recommend not doing that since you cannot enable MFA for your users and you cannot use anything else but local accounts. I just think it will limit you and not offer a significant benefit. – juunas Jul 13 '18 at 05:23
  • Yes, I agree. I don't see any documentation regarding implementation of ROPC (AAD B2C) for web app. Have you came across anything about this implementation? I'm pretty new to AAD B2C. – jmdn Jul 13 '18 at 07:10
  • 1
    I would avoid ROPC... https://stackoverflow.com/a/49036907/185123 @jmdn – spottedmahn Jul 14 '18 at 02:48
  • Why? @spottedmahn – jmdn Jul 14 '18 at 16:20
  • Sorry, should have included a link. See comments here: https://stackoverflow.com/a/45341597/185123 @jmdn – spottedmahn Jul 14 '18 at 17:20
  • https://www.scottbrady91.com/OAuth/Why-the-Resource-Owner-Password-Credentials-Grant-Type-is-not-Authentication-nor-Suitable-for-Modern-Applications – juunas Jul 14 '18 at 17:24