Azure Ad B2C vs Keycloak

Question

I have a question regarding keycloak and Azure Ad b2c. Both offres authentication with different identity providers. Main difference I can see is in authorization. With Keycloak I can easily manage claims and roles of users via admin portal. In Azure B2c it looks very hard (setting custom policies) maintaining all the data via custom created app. Am I missing something? Relying app is strongly cloud native (Azure of course) and thats why I'm thinking about azure b2c. Relying app will strongly use roles and claims also.

What do you think about these two identity solutions (pros and cons).

What is the easiest way to manage implemented (by custom policies) user claims and roles in azure b2c? (do I have to write separate management app by myself or there is easiesy solution?)

Edit: first conclusion is that right nów azure requires separate app for connecting to graphapi (via rest or using sdk). Keycloak has it built in. Any pros of using b2c in this case (for c# dev)?

Please provide enough code so others can better understand or reproduce the problem. — Community, Sep 25 '22 at 19:51

score 1 · Answer 1 · answered Sep 26 '22 at 07:54

You don't have to use custom policies to use custom claims. Below an example :

On your B2C tenant, go to Azure AD B2C > Manage > User attributes and create a custom attribute; here a client ID attribute :

Then Azure AD B2C > Policies > User flows and create a flow, for example "Sign In" :

Use the recommended flow :

During the flow's creation, at the last steps, you can specific what claim will be included in the returned jwt token on Sign in; select our custom attribute Client ID :

Then when I login into my application using a B2C account, I have the below JWT token returned :

JWT token's payload, base64 decoded :

{
  "iss": "https://mytenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0/",
  "exp": 1664181788,
  "nbf": 1664178188,
  "aud": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "oid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "sub": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "extension_ClientID": 1,
  "name": "myUserName",
  "emails": [
    "user@email.com"
  ],
  "tfp": "B2C_1_SI",
  "nonce": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "scp": "user_impersonation",
  "azp": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "ver": "1.0",
  "iat": 1664178188
}

I have set the "extension_ClientID": 1 using the msGraph API but this could also be done using a SignUp flow.

Okay, but what about user management? I still have to write my own app to manage users via graph api right? — rethon012, Sep 29 '22 at 08:09
As far as I know, if you're going outside of the azure defined user flows, I'm afraid you'll have to use an external msGraph client or to use XML custom policies — Will, Sep 29 '22 at 09:42
That's the only identity provider I've used so far therefore I'm not in capacity to list the pros and cons of Azure AD B2C vs another solution — Will, Sep 30 '22 at 15:56

Azure Ad B2C vs Keycloak

1 Answers1