Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure AD B2C Provider #34

Open
askpatrickw opened this issue Aug 4, 2019 · 0 comments
Open

Azure AD B2C Provider #34

askpatrickw opened this issue Aug 4, 2019 · 0 comments

Comments

@askpatrickw
Copy link

Azure AD B2C supports OpenID Connect and would be a good enterprise quality service to add to Authlib loginpass.

I don't understand this library enough to add this, but I can help with some of the base information and I'm vry happy to help with live testing.

Here's a example from a live tenant configuration URL

f'https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/v2.0/.well-known/openid-configuration?p={policy}'

Response

{
  f"issuer": "https://{tenant}.b2clogin.com/{SOME_GUIDE}/v2.0/",
  f"authorization_endpoint": "https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/authorize?p={policy}",
  f"token_endpoint": "https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/token?p={policy}",
  f"end_session_endpoint": "https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/logout?p={policy}",
  f"jwks_uri": "https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/discovery/v2.0/keys?p={policy}",
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "response_types_supported": [
    "code",
    "code id_token",
    "code token",
    "code id_token token",
    "id_token",
    "id_token token",
    "token",
    "token id_token"
  ],
  "scopes_supported": [
    "openid"
  ],
  "subject_types_supported": [
    "pairwise"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ],
  "claims_supported": [
    "emails",
    "newUser",
    "oid",
    "sub",
    "idp",
    "extension_customUserAttribute",
    "tfp",
    "iss",
    "iat",
    "exp",
    "aud",
    "acr",
    "nonce",
    "auth_time"
  ]
}

Some notes:

The host URL uses tenant more than once:

    host = 'https://{}.b2clogin.com/{}.onmicrosoft.com/'.format(tenant, tenant)
    authorize_url = '{}oauth2/v2.0/authorize'.format(host)
    token_url = '{}oauth2/v2.0/token'.format(host)
   jwk_set__url = '{}discovery/v2.0/keys'.format(host)
   iss _url = https://{}.b2clogin.com/__SOME_GUID__/v2.0/'.format(tenant)  <-- Note the GUID, not sure where that value originates from

Sign In, Sign Up, etc require more kwargs:

client_kwargs': {
    'client_id': client_id,
    'nonce': '??',
    'p': policy,
    'response_type': 'id_token',
    'scope': 'openid offline_access',
},

I show nonce as required, but its unclear to me if the blueprints are handling that.

If I can help in any other way, please ask.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@askpatrickw