Reputation: 6249
How to store a user's context with AAD B2C token
I'm using AAD B2C to secure a JavaScript application and backing web services. Users may be associated with multiple companies, so I plan to use a dropdown and allow a user to choose which context they wish to act under.
The backend web service needs to receive the "context"... so I feel like a I need to add a value to the AAD B2C token after the user has been authenticated... or I need to call back to AAD B2C with the value somehow.
I can't find any documentation to suggest this is possible.
Is this a supported user flow?
Upvotes: 1
Views: 117
Answers (2)
Reputation: 472
You cannot simply "add a value" to a token. The token is created and signed by MS, not by your app.
But you can define a custom claim and have it included in the token. Let's say you name it Contexts and it will be the list of IDs or names of the companies the user has access to. After a successful login, the token with this claim is returned to your js and you can parse it to get the individual items (companies) to display in the dropdown. After the user has picked the preferred context from the dropdown, you pass it to your backend web service as an extra parameter, not as part of the token.
Managing the Contexts property/claim can be done via Graph calls - I suspect you don't want to allow the users themselves to add in there whatever they want.
Upvotes: 1
Reputation: 11335
They only way to achieve this scenario, where a consumer has respective access rights to multiple tenancies within your scenario, is to use Custom Policies:
- Collect the users credentials and validate
- Call a REST API to send back a comma delimited list of tenancies the user has access to
- Display a self asserted page with 2 B2C claims in textboxes. One should be populated with the comma delimited list from 2) using InputClaims.
- Customise this page with JavaScript enabled, use JS to render a drop down box with its enumeration from the populated text field from 3.
- When the user selects from the drop down box, send the result using JS to the other text box that was rendered.
- Use CSS to hide the 2 text boxes.
- When the user submits the page, use a ValidationTechnical profile to send back the users input to a REST API to make sure the value is within their authorized list of tenancies.
- Insert the tenants name into the Token using the Outputclaims section of the RelyingParty element.
- The App can now know which tenancy to show, with correct access rights.
Upvotes: 1
Related Questions
- Create user access token for AAD application using Node
- AD B2C ROPC JavaScript Token Retrieval
- Accessing user token when using AzureAdB2C with Microsoft.Identity.Web
- How to authenticate and store tokens in a multitenant web client (multiple B2C identities in the same browser)
- Use Azure AD B2C Cookie across ASP.Net Core Web Apps
- Retrieve Access Token within a AAD secured Azure Web App
- Azure B2C and authentication with token
- Combine Authentication Scenarios with Azure AD
- Accessing a Web API from JavaScript after being authenticated against Azure AD B2C
- Acquiring access token using AuthenticationContext of ADAL