Reputation: 1200
In Azure AD B2C custom policies, how do the IdentityExperienceFrameworkApps connect to AD without secrets
Also posted to https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/issues/29
In the B2C Custom Policy Starterpack we have the file LocalAccounts/TrustFrameworkExtensions.xml with:
<TechnicalProfiles>
<TechnicalProfile Id="login-NonInteractive">
<Metadata>
<Item Key="client_id">ProxyIdentityExperienceFrameworkAppId</Item>
<Item Key="IdTokenAudience">IdentityExperienceFrameworkAppId</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="client_id" DefaultValue="ProxyIdentityExperienceFrameworkAppID" />
<InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="IdentityExperienceFrameworkAppID" />
</InputClaims>
</TechnicalProfile>
</TechnicalProfiles>
Can someone explain why two applications are required to make these custom policies work? How does the IEF use each of them?
Besides, I don't see any secret or application key being passed to IEF in these files. How can IEF connect to AAD using Application Ids only?
Upvotes: 1
Views: 1896
Answers (1)
Reputation: 14654
The login-NonInteractive technical profile authenticates a local account by sending an access token request, using the resource owner password credentials grant type, to your Azure AD directory:
<Metadata>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/{tenant}/oauth2/token</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="password" />
<InputClaim ClaimTypeReferenceId="client_id" DefaultValue="ProxyIdentityExperienceFrameworkAppID" />
<InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="IdentityExperienceFrameworkAppID" />
<InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" Required="true" />
<InputClaim ClaimTypeReferenceId="password" Required="true" />
<InputClaim ClaimTypeReferenceId="scope" DefaultValue="openid" />
<InputClaim ClaimTypeReferenceId="nca" PartnerClaimType="nca" DefaultValue="1" />
</InputClaims>
Like all access token requests for an Azure AD directory, this access request must contain the identifier of a client application (i.e. the ProxyIdentityExperienceFramework application) and that of a resource application (i.e. the IdentityExperienceFramework application).
You don't have to specify a secret for the client application because it is registered as a native application.
Upvotes: 1
Related Questions
- Configuration in Azure AD B2C for Custom Policies
- Sign in Azure AD users through Azure B2C
- B2C - Impersonation Flow
- Azure AD B2C Custom Identity Policy (multitenant + external identity providers)
- Azure AD B2C API connectors User Attributs
- Using Policy Keys in Azure B2C custom policies
- Azure AD B2C passwordless sign in custom Policy
- How to setup app.UseOAuthBearerAuthentication for handling different Azure B2C custom policies?
- Azure AD B2C custom policy logic flow overview?
- Connecting Azure AD B2C tenant policies to a registered app