xamarin.formsazure-active-directoryazure-ad-b2ctouch-idface-id

Azure B2C Login on Xamarin forms app with Face/TouchId/Fingerprint/Keychain integration with API


We are using Azure B2C for login/authentication of our users. This works fine on our website (social and email login etc). Our mobile app is built in Xamarin forms and we are trying to build a native login experience (using native app controls vs. a web view within the app that B2C presents) that integrates natively with the device biometrics for login (FaceId, TouchId, fingerprint login). As you can imagine, doing this in the webview that Azure B2C requires doesn't allow a native login experience. The overall goal here is 2 fold:

  1. Build a native login experience
  2. Integrate with biometrics.

Question:

  1. Does Azure B2C have an API that enables this, especially so we can use authorization code flow without a UI. ROPC exists but does it integrate with social accounts too?
  2. If not, is there a way to integrate biometric login with Azure B2C on mobile when the login screen is presented in a webview? So that when the B2C login page in the webview is presented, a user can login with touch/faceId and save that information to they keychain (on iOS and the equivalent on Android)

Solution

  • You need to use Webviews, and you can enable Biometric integration with webview type experience.

    1. You cannot integrate any service with Social Accounts and ROPC. Any integration with Social IdPs will need a webview.

    2. Yes, enable Keep Me Signed In for long lived sessions. Wrap the biometric code around the acquireTokenSilent() methods.

    Then you have two options:

    1. You can hide the KMSI button, and use JavaScript to force select the KMSI checkbox in the login page using page customisation.

    2. You can rename the KMSI label on the login page to ask the user if they want to enrol in to biometric. Then after the login, your app will receive a claim in the token whether the user opted in, use claim resolver to achieve that.

    Now you have a user logged into the App, with:

    1. 1 hour access token
    2. Potentially up to infinity long refresh token
    3. Multi day/year Azure AD B2C session cookie

    Then, when the user re-attempts to open the app, or perform some action in the app, you will need to call acquireTokenSilent(). This MSAL method obtains a fresh access token for the required API resource/scope.

    If the token is expired, or requires a different scope, the a new token is fetched.

    You can wrap any action in your application with the biometric SDK.

     if (performingSomeAction && requiresBiometric)
       if (challengeBiometric succeeds)
         acquireTokenSilent() 
         //do someAction
    

    Now if the refresh token has expired, then the web view will pop up, the long lived session cookie will be used to get new tokens. The acquireTokenSilent() method handles all of that already.