search

Azure-Samples / active-directory-b2c-custom-policy-starterpack

Azure AD B2C now allows uploading of a Custom Policy which allows full control and customization of the Identity Experience Framework
http://aka.ms/aadb2ccustom
MIT License
337 stars 395 forks source link

How do the IdentityExperienceFrameworkApps connect to AAD without secrets? #29

Open gcobr opened 5 years ago

gcobr commented 5 years ago

In LocalAccounts/TrustFrameworkExtensions.xml we have:

<TechnicalProfiles>
   <TechnicalProfile Id="login-NonInteractive">
    <Metadata>
      <Item Key="client_id">ProxyIdentityExperienceFrameworkAppId</Item>
      <Item Key="IdTokenAudience">IdentityExperienceFrameworkAppId</Item>
    </Metadata>
    <InputClaims>
      <InputClaim ClaimTypeReferenceId="client_id" DefaultValue="ProxyIdentityExperienceFrameworkAppID" />
      <InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="IdentityExperienceFrameworkAppID" />
    </InputClaims>
  </TechnicalProfile>
</TechnicalProfiles>

Can someone explain why two applications are required to make these custom policies work? How does the IEF use each of them?

Besides, I don't see any secret or application key being passed to IEF in these files. How can IEF connect to AAD using Application Ids only?

parakhj commented 5 years ago

Internally, Azure AD B2C makes a call to Azure AD in order to authenticate local accounts. This uses the ROPC flow, which does not require the client secret. Due to the way ROPC works in AAD, you need two applications to make it work.