[SOLVED] Need guidance for configuring OIDC in B2C, to allow 3rd party to use my B2C as an IdP (new to B2C and Auth)

Need guidance for configuring OIDC in B2C, to allow 3rd party to use my B2C as an IdP (new to B2C and Auth)

I have an Angular SPA application with a .NET Core WebAPI, both registered in B2C and using UserFlows. All works perfectly.

Now, we are working with a 3rd party "partner" web app that does not use B2C. We want to use each other as alternative IdPs. We plan to use OIDC.

For example (App A is me, App B is partner):

Login Screens

App A (B2C) login screen has username/password, plus a "Login with B" option
App B (non-B2C) login screen has username/password, plus a "Login with A" option

Login Flow

User on A: no A account (new user), does have B account, and selects "Login with B"
- Login with B succeeds, and App A creates the user in B2C
User on B: no B account (new user), does have A account (B2C), and selects "Login with A"
- Login with A succeeds, and App B creates the user in their own app

I'm relatively new to B2C (and auth in general), so I'm trying to understand how to configure this in B2C. Read a lot of articles, and watched some YouTube videos, but still not 100% clear.

I believe I need to do this:

Register App B in B2C

create a Client Secret
provide Client ID and Client Secret to App B developers
provide B2C's App B Endpoints to App B developers

Add a new OIDC Provider in B2C

Use the metadata URL, endpoints, Client ID and Client Secret, scopes and claims that the App B developers have provided to me

Is this correct?

I'm also unclear about a few other things:

Scopes: App B does not need the scopes I provide from my App A WebAPI, because App B will not be calling my WebAPI. Do I create a new set of scopes associated with the App B registration in B2C? We only need scopes to provide basic user information (to allow each of the apps to create user accounts after using the respective "Login with A/B" option)
Policies: Should I create a new UserFlow (policy) specifically for App B to use? I prefer to keep that separation, but not sure if this is a valid approach. (I also might have no choice also, because the UserInfo endpoint is not supported by UserFlows, only Custom Policies)

I'd appreciate any guidance to help me move forward in the right direction.

Thanks!

Solution

On B2C, create an external OIDC provider (This is for A to B).

You can add the external IDP to an existing user flow or create a new one.

For B to connect via OIDC, you need an app. registration on B2C and then you supply the client ID, secret etc. to B. (This is for B to A).

B2C will have scope "User.Read" by default. Add "openid" as a scope.

For A to B, B2C will create a "shadow" account for the user. This is of type "signInType":"federated".

For B to A, you need an existing local account in A. This is of type "signInType": "emailAddress".