CODEWITHSUNDEEP
azurekeycloakidentityazure-ad-b2c
rethon012
rethon012

Reputation: 33

Azure Ad B2C vs Keycloak

I have a question regarding keycloak and Azure Ad b2c. Both offres authentication with different identity providers. Main difference I can see is in authorization. With Keycloak I can easily manage claims and roles of users via admin portal. In Azure B2c it looks very hard (setting custom policies) maintaining all the data via custom created app. Am I missing something? Relying app is strongly cloud native (Azure of course) and thats why I'm thinking about azure b2c. Relying app will strongly use roles and claims also.

What do you think about these two identity solutions (pros and cons).

What is the easiest way to manage implemented (by custom policies) user claims and roles in azure b2c? (do I have to write separate management app by myself or there is easiesy solution?)

Edit: first conclusion is that right nów azure requires separate app for connecting to graphapi (via rest or using sdk). Keycloak has it built in. Any pros of using b2c in this case (for c# dev)?

Upvotes: 3

Views: 4379

Answers (1)

Will
Will

Reputation: 2410

You don't have to use custom policies to use custom claims. Below an example :

On your B2C tenant, go to Azure AD B2C > Manage > User attributes and create a custom attribute; here a client ID attribute :

enter image description here

Then Azure AD B2C > Policies > User flows and create a flow, for example "Sign In" :

enter image description here

Use the recommended flow :

enter image description here

During the flow's creation, at the last steps, you can specific what claim will be included in the returned jwt token on Sign in; select our custom attribute Client ID :

enter image description here

Then when I login into my application using a B2C account, I have the below JWT token returned :

JWT token's payload, base64 decoded :

{
  "iss": "https://mytenant.b2clogin.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0/",
  "exp": 1664181788,
  "nbf": 1664178188,
  "aud": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "oid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "sub": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "extension_ClientID": 1,
  "name": "myUserName",
  "emails": [
    "user@email.com"
  ],
  "tfp": "B2C_1_SI",
  "nonce": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "scp": "user_impersonation",
  "azp": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "ver": "1.0",
  "iat": 1664178188
}

I have set the "extension_ClientID": 1 using the msGraph API but this could also be done using a SignUp flow.

Upvotes: 2

Related Questions