Azure Active Directory B2C - User flows (policies) for signin/signup and password reset

1
votes

I want to integrate Multi Factor Authentication (MFA) through Azure Active Directory (AD) B2C in my website built in PHP only for authentication purpose,

I checked its documentation and some code samples, I have created following things from its tutorial which mentioned here https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant

  • Azure AD B2C tenant
  • Register a web application (reply URL is https://jwt.ms)
  • Create a sign-up and sign-in user flow / password reset user flow

I tested sign-up/sign-in user flow and password reset user flow by URL provided from Azure Portal with heading Run user flow end point ►, and its working perfect as expected, and on successful response I got a JWT token, which contains information like this:

But I am not sure that what I have planned is correct according to standard,

My planning is like this - I will give an option in user profile section to enable/disable MFA, So if an user enables MFA, then on next login, after successful authentication (through email and password stored in database), user will be redirected to a MFA page, On MFA page there are 2 buttons, Sign up/Sign in and Forgot Password,

  • Sign up/Sign in - this button have link created by "Sign up and Sign in" user flow at Azure AD B2C - User flows (policies),

  • Forgot Password - this button have link created by "Password reset" user flow at Azure AD B2C - User flows (policies), - I need to added this because, the Forgot Password link in Sign up/Sign in not working as intended, It will redirected on Reply Url, with some information and a message like this AADB2C90118: The user has forgotten their password

In both user flows I enabled MFA, So on successful MFA, I will redirect user to dashboard in my website, Otherwise user will remain on MFA page,

  1. I explained my planning, please suggest me, if am I doing something wrong in Sign up/Sign in or Forgot Password flow? Or if I can make it better,

  2. For decode JWT token in PHP, I am breaking it on . and using base64_decode() to extract data, Is it good to decode it manually? Also please let me know how can I validate it?

Any help or suggestions will helpful for me,

Thanks in advance,

2
phpazurejwtazure-active-directoryazure-ad-b2c
Hi Henry, if you include your code it would fit better at Code Review. If your question came from there the missing code might be the reason for transfer to main SO site. Here its missing code and a specific error issue.ZF007
Actually there was no code to mentioned in question, because everything is handled by User flow (policies) of B2C, It just gives an URL, and ww need to redirect at his website, which will handle all things, and gives JWT in response, and I mentioned how I am decoding it right now,Herry Shawn
@HerryShawn If my answer was helpful you can mark it as answer to help other. Thank you.Md Farid Uddin Kiron

2 Answers

1
votes

1. I explained my planning, please suggest me, if am I doing something wrong in Sign up/Sign in or Forgot Password flow? Or if I can make it better

Seems you are on a right way, But if you want you could add some custom set of rules on your password to make it more secure and reliable. B2C provides many rules there. You can find all Password enforcement rule here.

2. For decode JWT token in PHP, I am breaking it on . and using base64_decode() to extract data, Is it good to decode it manually? Also please let me know how can I validate it?

Breaking JWT token using base64 is alright. You can check it manually but its good practice to handle it in program. There are may thread already been solved regarding token validation so I am referring among those which you can easily implement. Check here how would you validate Jwt token also check this

Note For manual decode you could validate https://jwt.io/ here you can get many algorithm together.

You can Try

Having look on your case I also suggest you to take a look on B2C self-service password reset option which also popular among the developer so far I know. You can try it out in result it will reduce many of your overhead and let you handle the scenario without taking more hassle.

Note : Please have look on referred document for token validation you would get some good idea how you can validate your token

1
votes

The way Password reset flow works is a bit different. In case when user clicks on reset password link, AADB2C redirects to the relying party service (main service) with a specific error code (AADB2C90118). The Relying Party Service should then invoke the reset password policy flow.

The code sample link to catch the error and then redirect to reset password handler

For decoding JWT token, there should be existing libraries, would recommend to use them.