0

While making a basic http calls from “Keycloak” to “Azure ADB2C” to retrieve a token as a response from AD B2C.

The current flow looks like this. For a Java web application which is integrated with the ‘Keycloak’ as an identity broker, and from the ‘Keycloak’ we have integrated with ‘Azure AD B2C’ as an identity provider for user authentication and to send the token response back to the keycloak request.

  • Use case 1: We have integrated a Azure ADB2C signin user flow endpoint in keycloak, which is sending the SignIn requests to b2c and retrieving the token as a response from Azure b2c is fine.

  • Use case 2: Have a blocker in this use case, While making a basic http header call from ‘Keycloak’ to “Azure AD B2C’, we are seeing an error code in the ‘keycloak’ logs as ‘Invalid_grant’, invalid_secret and ‘Invalid_credentials’ upon different calls passing from keycloak. And upon verifying in Azure ADB2C side, we haven’t found any logs for above request from ‘Keycloak’.

Is there any workaround or any changes has to be made In keycloak to handle a basic http calls to Azure ADB2C?

Thank you!!

CloudSpace03
  • 31
  • 9
  • What exact endpoint are you making a “basic http header call” request to? What does the request look like? Why are you sending such a request? – Jas Suri - MSFT Dec 12 '21 at 09:05
  • So, here keycloak is handling the user login requests coming from the client application, I’m trying to pass the user credentials via basic auth call to B2C, for retrieving the token response from b2c, instead of presenting a login screen to the user. In this scenario, from Keycloak calling the B2C headless authentication endpoint. I’m not sure why the keycloak is facing an authentication challenge in this scenario. Not sure whether B2C supports http basic auth call from the external application, rather than a login requests coming for SignIn endpoint or ROPC endpoint. – CloudSpace03 Dec 13 '21 at 04:15
  • For instance there is a client application A and B. If application A wants to authenticate the user with a http basic auth call to B2C to get an access token as a response by calling the headless endpoint, which is getting an error now. But, from the application B, I’m able to integrate B2C Signin user flow endpoint with the client application, where keycloak is able to retrieve a token after successful user authentication in B2C. To trigger a http basic auth call via headless authentication url, is there any configuration changes required at client side application?… – CloudSpace03 Dec 13 '21 at 04:22

1 Answers1

0

For client to client calls, Azure AD B2C supports client_credntial flow: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow

You can send the client_id and client_secret parameters in a Basic Authentication header.

Jas Suri - MSFT
  • 10,605
  • 2
  • 10
  • 20
  • Thanks for the input, here with this client_credentials flow no user will be involved right. I tried to call the signin flow endpoint & ROPC endpoint via keycloak using basic http header call, still the request is not reaching to b2c. Additionally do i have to enable any option in B2C, to let this http basic auth request while calling the B2C ROPC or Signin Endpoints?. – CloudSpace03 Dec 13 '21 at 18:29
  • You must use the endpoint in the link, yes, no user will be involved. B2C ROPC will not work, unless you pass the parameters in the body. – Jas Suri - MSFT Dec 13 '21 at 19:31
  • Hi Jas Suri. Above suggested client credentials flow to get the token from b2c, using that from external application to trigger graph endpoints to create user, update user and delete user is working fine. But, does this client credentials flow supports ‘user authentication’ as well? … From external application tried to make a http basic auth call from keycloak to b2c, but there are no requests receiving to b2c or no logs are recorded in b2c audit-logs either. For external application to make a http basic auth request from keycloak, any suggestions on this scenario would be helpful. – CloudSpace03 Dec 20 '21 at 15:20
  • Why are you trying to do this? There is nothing really in OAuth2 standard that describes what you are trying to do. Client credential flow is for a server to get a token. For tokens in context of the user, you must use interactive flows (OpenId Connect, Authorization Code flow, Implicit flow) or non-interactive flow (ROPC flow - not supported server to server). None of these flows, other than client_credential supports HTTP Basic header. So, short answer, no you cannot do what you want, its not really standard. – Jas Suri - MSFT Dec 20 '21 at 19:34