single-sign-onazure-ad-b2c-custom-policyidpazure-ad-b2c

Policy to allow user/password login with non-interactive flow


I am currently trying to connect from a checking app (uses custom authentication) to my reporting app (uses AD B2C) . I have the user/password for the reporting user in AD B2C (reporting application user is created from external API call that creates reporting user in AD B2C). I want to connect from the checking app using the reporting user/password and be redirected to the reporting pages without AD B2C challenge.

I can get the access_token from AD B2C reporting app using

POST https://<tenant>.b2clogin.com/<tenant>.onmicrosoft.com
/<APP_policy>/oauth2/v2.0/token
client_id:<App_ID>
redirect_uri: <<reporting app>>
grant_type:password
username: <user>
password:<pswd>
scope:openid https://<tenant>.onmicrosoft.com/appID/Custom.Scope
response_type:token id_token

I need to be able to use the access_token in the downstream links. Is this scenario possible ? How should my policy be configured for this to work?

App flow


Solution

  • This is really poor security design, and opens yourself up to a lot of exploits - we could not recommend something like this.

    A better approach would be to us id_token_hint to bootstrap the journey: sample. Instead of sending U/P in the clear, you send a signed JWT to App2, which sends it to B2C and B2C processes the JWT and logs the user in automatically. This also allows you to use the native MSAL libraries to manage the tokens.