0

I am investigating the possibilities of Azure AD B2C. I have the following use case:

I have a Xamarin Forms app. In the current app, a user can choose three different environments (A, B, C) when logging in. Each environment has a separate - but similar - website, think of it as staging environments. So the choice of environment dictates in which website where the actual login takes place. A user should be able to logout of A and then login again in B, for example.

Now I want Azure AD B2C handle the authentication instead. I set up a tenant and create a custom policy to make a rest call to the website to do extra validation steps with the objectid in the last orchestration step. This mechanism is working fine.

The problem is that the REST calls to the serviceurl is slightly different for environments A, B of C. In the orchestration I guess it should be possible to make the three separate REST steps and make them conditional on some parameter. The question is which parameter. A custom claim?

The Xamarin app uses msal to connect to the tenant.

What mechanism can I use from the app to know in the custom policy that a login is for environment A, B of C?

  • Can it be some parameter?
  • Or should I make three different Application definitions in B2C, and use the ApplicationId to differentiate?
Ed S
  • 120
  • 1
  • 6
  • You say the user selects the environment in the app? You could pass a query param into the AAD B2C auth request and use a claim resolver to parse the param, then filter on that. – Jas Suri - MSFT Feb 15 '21 at 10:56
  • Thank you @JasSuri-MSFT. I was able to get it working with that info. – Ed S Feb 15 '21 at 21:18

1 Answers1

0

Following Jas's comment, I added WithExtraQueryParameters to the app:

await App.AuthenticationClient
.AcquireTokenInteractive(scopes: Constants.Scopes)
.WithExtraQueryParameters(new Dictionary<string, string> { { "website_code", "TEST" } })
.WithPrompt(Prompt.ForceLogin)
.WithParentActivityOrWindow(App.UIParent)
.ExecuteAsync();

Some key snippets from TrustframeworkExtensions.xml:

<ClaimType Id="website_code">
  <DisplayName>Website code</DisplayName>
  <DataType>string</DataType>
  <UserHelpText>The Website code</UserHelpText>
</ClaimType>

<InputClaim ClaimTypeReferenceId="website_code" DefaultValue="{OAUTH-KV:website_code}" AlwaysUseDefaultValue="true" />

<OrchestrationStep Order="7" Type="ClaimsExchange">
    <Preconditions>
        <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
             <Value>website_code</Value>
             <Value>TEST</Value>
             <Action>SkipThisOrchestrationStep</Action>
        </Precondition>
    </Preconditions>
 <ClaimsExchanges>
   <ClaimsExchange Id="RESTGetUserClaims_test" TechnicalProfileReferenceId="xxxx_test" />
   </ClaimsExchanges>
</OrchestrationStep>
Ed S
  • 120
  • 1
  • 6