Angular2 to IdentityServer4 to Azure B2C

1
votes

I have a Single Page Application that will use the implicit grant type. I want to use Azure B2C. However, Azure B2C doesn't support the implicit grant type. (https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-limitations)

Is it possible to facilitate this communication with IdentityServer4?

I imagine the flow could look something like this:

  1. User clicks Login on the SPA. Directing the browser to IdentityServer and starting the implicit workflow.

  2. IdentityServer directs the browser to B2C. (Initiating the Auth Code workflow?)

  3. The user enters their credentials into B2C.

  4. B2C directs the browser to IdentityServer with a token.

  5. IdentityServer creates a new token identifying the user and adding claim information.

  6. B2C directs the browser back to the SPA along with the token. This completes the implicit workflow.

  7. The SPA accepts the token and logs the user in.

1
angularoauth-2.0single-page-applicationazure-ad-b2cidentityserver4
If you're considering Azure AD B2C I would also suggest having a look at Auth0 (The B2C Customer Value Journey) if you haven't done so already. Single Page Applications are fully supported so you would not have to introduce any other component in the middle to bridge that gap. Disclosure: I'm an Auth0 engineer. - João Angelo
In this particular scenario, I'll be integrating with several other applications. Some of them will require a custom integration. The solution also requires an authorization management portal. There needs to be a central STS to support this. I realize this doesn't preclude integrating Auth0. However, I don't think it makes sense to have applications integrating directly with an ID-STS in this scenario. - KPHutt
No worries, the intent of my initial comment was more to keep your options open than anything else. If you need a really custom solution than open source (IdentityServer4) will win, at a cost, over closed source so without knowing all the additional requirements you ain't gonna see me push Auth0 as the definitive answer. However, just a note on your final remark; the same entity can play both the R-STS and the IP-STS roles and Auth0 does allow you to choose if you want both or just use it as a federation provider (R-STS). - João Angelo

1 Answers

1
votes

Yes it's possible. I successfuly implemented this with IdentityServer3 simply by use the OpenIdConnect middleware, as an external IdentityProvider, configured with b2c discovery endpoint.

Sample with aspnet 4.6 : https://github.com/AzureADQuickStarts/B2C-WebApp-WebAPI-OpenIDConnect-DotNet

Sample with aspnet core : https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnetcore-b2c/tree/master/WebApp-OpenIDConnect-DotNet