Azure AD B2C

Azure AD B2C (Azure Active Directory Business to Consumer) is a cloud-based identity and access management solution that enables applications to authenticate and authorize users through customizable workflows.

Key Points

• Any application can delegate its authentication and authorization flow to Azure AD B2C.
• It involves creating an Azure AD B2C resource (tenant) specific to your application in Azure portal. This would create a unique identifier which is called as tenant id.
• Many applications can be registered within a single Azure AD B2C resource. Each application registered will have its unique identifiers like client-id, client-secret. Re-direct URL needs to configured for each application.
• Workflows needs to be created for the registered application. Many workflows are supported including sign-up, sign-in, forgot-password, update-profile etc.
• Application needs to be configured with all the details including tenant-id, client-id, client-secret, workflow profiles etc., in the configuration file.
• Application should be configured to use “OpenIdConnect” schema for the authentication.

Authentication flow with Azure AD B2C

• When a user clicks on the application URL, application checks the request to see if it is authenticated.
• If the request is not authenticated, based on the application configuration, the user will be re-directed to Azure AD B2C login page.

This involves two steps

1. Application will initiate the authentication by making an api call by passing the application details like tenant-id, tenant-name, client-id, client-secret etc.
2. Azure AD B2C validates the credentials (tenant-id, tenant-name, client-id, client-secret, workflow). If the details are correct, then the user will be re-directed to Azure AD B2C login screen. Otherwise, an error would be displayed to the user.
• User has to enter the credentials and click on sign-in. A user authentication request which includes user-id, password, client-id, scope will be sent to Azure AD B2C.
• Azure AD B2C validates the credentials against the stored credentials within the B2C directory within the registered application. If the validation is successful, Azure AD B2C constructs a token
• Tokens are populated with User Id, Name, Email Address, Roles or groups, custom-attributes.
• Upon successful authentication, the user will be redirected back to the initial requested application URL along with the token.
• Application validates the token for token signature, issuer and expiry. Once the token is validated, the application considers the user as authenticated.

Azure AD B2C Authentication flow diagram