Uncovering Effective B2C Authentification through Azure AD Custom Policies
Azure AD B2C : Custom policies, How to create effective ones and how I discovered them as a solution for a Business-to-Client web-app authentication solution.
Few weeks ago, I was required to create an authentication and authorization system for a Single Page Application using Angular at the Front-end connected to an API using ASP.Net Core 3.1 at the Back-End.
The requirements were that the authentication system would be intuitive, flawless, 100% secure and that… Wait for it… It should support SSO *moment of panic* (we’ll later see what it means).
First of all, you need to know that I went through this journey while still being an intern. This was all stuff that, at the time, while really attractive to me, was still pretty much a mystery.
For the time being, I didn’t have a clue what the heck was an access, ID or refresh token. Open-ID-Connect and OAuth 2.0 were still some strange words from a far away country. The only certainty that I had was that it seemed cool to play with and that I wanted to do something stunning with them so that my CTO, and the company for which I was an Intern at the time would be amazed. I wanted to give the feeling that I was someone they wanted in their team and that I was gonna add value to the startup… So yeah. This is how it started.
So one day, at the office, (well in my room, working remotely) in the midst of the Covid-19 pandemic, my boss offers me to work on the authentication and authorisation system of the web app we’re developing. He tells me that it should support SSO, which means that employees of a company could use their organization’s email to connect to our web application directly. He tells me that it has to be finished in three months for the launching of our product.
I accept. Then I panic. Then I calm down. Then I start searching, Studying the subject and fiddling some proof-of-concepts of potential solutions.
I think I posted some of it on my Github account but be aware. This account is a complete mess, lol… Anyway.
After a lot of tries and fails, what got my attention was finally Azure Active Directory Business To Consumer.
From what I personally experienced, tried and researched, Azure AD B2C offers the possibility to create special security sequences of actions resulting in a custom Login, Logout, Password reset or other authentication security actions. It is also some kind of middleman between you and all the others Identity Providers you could want to connect to your application.
check out my article about Azure AD B2C for more informations about it !
It the article above this line, I explain that you can use custom policies from Azure AD B2C’s Identity Experience Framework to create completely custom behaviors between your system and your client’s IDPs.
Azure AD B2C Custom policies
The custom policies files are .xml config-like files inside which all the important stuff is contained in blocks.
They are hierarchically made, so each one inherit from a parent or else is a parent.
This kind of inheritance is decided in the <BasePolicy> block.
By default, you will have the TrustFrameworkBase.xml which will state all the basic stuff and which will contain all the elements you will be able to copy and paste in child policies xml files to create custom behaviors.
You will also have the TrustFrameworkExtensions file which will be useful to instate the userJourney.
The TrustFrameworkExtensions file is the child of the TrustFrameworkBase file.
I Highly recommend, when developing custom policies, to start from base policies you can get from the Microsoft Azure AD B2C policies Starter pack.
you will also have to setup your Azure AD B2C tenant in your azure portal in order to be able to use the custom policies by enabling the identity experience framework (the custom policies framework name).
There is still a lot to discuss so you may want to follow me .
I will write about it progressively everyday during the next week.
