AppAuth with Azure AD B2C

1.8k views Asked by At

I have configured a B2C service in Azure AD and included Google as an authentication provider only to find that Google disallows authentication requests through an embedded web view. Then I found AppAuth but I'm having much difficulty getting the sample iOS app working.

The issue I'm having is related to the redirect uri. Using the AAD provided redirect uri for native apps results in an error in Safari Mobile. I attempted to add a custom redirect uri that will redirect to my iOS app but can't because it fails validation in the azure ad configuration since it is not in the https url scheme.

Is it possible to use AppAuth with Azure AD B2C? Is there some way to configure this properly or does it require changes on MS side?

EDIT

I have Azure AD B2C setup and working including the Google account login. This works as expected in a web browser, however when I try to log in to Google from iOS using an embedded webview I get disallowed_useragent. Researching this I came across the AppAuth library that I believe is the secure solution of choice except for the fact that it doesn't work with B2C due to redirect issues, or at least I haven't found a way to make this work.

I expect that I need to be able to supply a redirect URL in B2C that is unique to my app on iOS so that the SFSafariViewController can redirect back to my app. Using the web configuration in B2C seems to be the right approach but it requires using the https instead of a custom scheme.

Is there a way to configure B2C for a custom redirect URI?

2

There are 2 answers

1
Andy Liu - MSFT On

Azure AD B2C supports Web apps, Mobile apps, such as iOS and Android, and Native apps.

To integrate Google accounts with Azure AD B2C, you need go to the Google Developers Console to create an application. And then configure Google as an identity provider in Azure AD B2C. Please refer to the following link for more details.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-goog-app

Then, you need register the application with the Azure AD B2C tenant. If the application is a mobile or native app, such as iOS, you can select it as Native Client with specified Redirect URI for configuration. You can refer to link below for application registration.

enter image description here

To enable sign-in on your application, you will also need to create a sign-in policy. This policy describes the experiences that consumers will go through during sign-in and the contents of tokens that the application will receive on successful sign-ins. For more details, please refer to the link below.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-policies

By the way, you can also refer to the following link for an sample about building an iOS app.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-ios

2
iainmcgin On

I am the lead maintainer of AppAuth.

As Microsoft currently restricts the redirect URI scheme to https, you have two options on iOS:

  1. Configure a Universal Link for your app, so that it is registered with the OS to handle requests to a particular https domain. This is the most secure option, as it prevents any other apps on the device from attempting to register the same link. However, this option is only available on iOS 9+.

  2. Create an intermediary page that captures the authorization response parameters, and then forwards these on to your custom scheme URI. I maintain an Android demo of doing this, which includes Microsoft integration, here. The intermediary page does, unfortunately, require an additional click from the user.