1

I created a Azure B2C tenant and i created custom IDP for Azure Active Directory (AD). I created the user flow from B2C to federate to the Azure AD and get the access token.

Steps that i have followed.

  • Created azure AD application
  • Generated a secret
  • Created custom roles
  • Assigned custom roles to users from AD Enterprise Applications
  • Created an IDP in B2C
  • Created B2C app
  • Created a login policy
  • Added IDP for federation
  • Run the user flow
  • Login by federation

The azure AD successfully retrieves the token (idp_access_token) as a result of federation. but the issue is the token that retrieve from the azure AD does not contains roles claim. I have created two app roles and assigned them to user. But i couldn't see any roles inside the token.

I followed following documentation. https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps

Isn't this not valid for federations? What is the exact way to get assigned app roles by federation.

enter image description here

Here is the required details to create B2C IDP.

enter image description here

How to map these details with scope solution?

1 Answers1

3

You need to create two applications in Azure AD, one representing the client application and the other representing the api application, and then use the client application to call the api application.

First, you need to expose the API of the back-end application protected by Azure and add the client application:

enter image description here

Next you need to set the api application AppRole, which is your customized role, and it will be displayed in the manifest.

enter image description here

Then you can assign the role to the user. Go to enterprise application>your api application>Users and groups.

enter image description here

Next, go to the client application, give your client application access to your backend api:

  • Under 'API permissions' click on 'Add permission', then click on the 'My APIs' tab.
  • Find your backend application and select the appropriate scope.
  • Click 'Add permissions'.
  • Grant admin consent for your APIs.

Next, you need to use the auth code flow to obtain an access token,which requires you to log in to the user and obtain the authorization code, and then use the authorization code to redeem the access token.

enter image description here

Parse the v2.0 token, it contains both scp claims and roles claims.

enter image description here

Carl Zhao
  • 8,543
  • 2
  • 11
  • 19
  • This is really helpful. now i'm waiting for grant admin consent. How did you get the "code" for your postman request? – Buddhika Priyabhashana Feb 25 '21 at 09:06
  • 1
    @BuddhikaPriyabhashana This is the url where I get the authorization code from the browser: ```https://login.microsoftonline.com/e4c9ab4e-bd27-40d5-8459-23xxxxxxxxxx/oauth2/v2.0/authorize? client_id=5f11e827-4b37-4f1f-aa05-33xxxxxxxxxx &response_type=code &redirect_uri=https://jwt.ms/index &response_mode=query &scope=api://c848e37d-f64d-4cd8-b9bf-0b2xxxxxxxxxx/read &state=12345``` – Carl Zhao Feb 25 '21 at 09:22
  • In case of IDP federation i have to add AD details to create IDP that related to my B2C tenant. What are the details that required to create an IDP? I need to add following details. * metadata url * client id * client secret * scope * response type Etc. I updated the question with screen shot. – Buddhika Priyabhashana Feb 25 '21 at 10:34
  • @BuddhikaPriyabhashana Have you seen this document? https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-generic-openid-connect – Carl Zhao Feb 26 '21 at 02:18
  • yes, I already configured it for general scenario. But i need to configure it with newly created scope as you guided me. but the issue is this newly created scope does not have client secret. and what should be the value for IDP configuration? how do i point the IDP to scope that contains user roles. – Buddhika Priyabhashana Mar 01 '21 at 03:33
  • I figured it out. Value for the scope field of IDP config is + openid + profile – Buddhika Priyabhashana Mar 01 '21 at 03:41
  • Thanks @CarlZhao How do I get the client secret? Currently I dont have one setup anywhere – aero8991 Jun 05 '23 at 19:11