[aad-b2c][question] How can I secure both my backend and frontend with azure-active-directory-b2c-spring-boot-starter and msal-browser?

[iliassk]

Environment

• [X] active directory spring boot starter

• OS Type: Linux

• Java version:

  • 11

Summary

I have a JHipster app (Spring boot + React) and I'm trying to implement the authorization code flow (w/ PKCE) to secure both my frontend (UI) and my backend (API) on Azure AD B2C. The most recommended plugins for my use case seem to be msal-browser for the frontend and azure-active-directory-b2c-spring-boot-starter for the backend.

I couldn't find any sample project nor docs about securing this kind of apps.

After reading through the docs, I'm not entirely sure this is a SPA use case. Is it more secure to handle the entire authentication on my backend and so, ditch msal-browser?

What do you think?

[yiliuTo]

Hi @iliassk , I am not clear whether msal-brower supports authorization code flow for b2c tenant due to this declaration and if yes how it works. As for the backend authentication with Azure B2C, you could refer to our current sample.

[iliassk]

@yiliuTo Yes for msal-browser, it seems that the support for b2c is still in preview/beta.

But now I'm more interested in azure-active-directory-b2c-spring-boot-starter. I'm using the 2.1.10 version (for spring boot 2.1.x). I'm unable to retrieve the email from the token. And I don't understand why can't we set scopes other than openid and the object id. I want to retrieve the profile and email scope. Even user roles. How can I do this with this library and Azure AD B2C ?

[yiliuTo]

Hi @iliassk , to get the email of users from the token, you may consider about adding email as a user attribute and claim in a proper user flow, here is the user flow doc maybe helpful to you. Besides, you can set scoped of email and profiles in the API permissions of APP registions in AAD B2C, these two scopes belong to Microsoft Graph APIs. And setting scopes here can help asign permissions to APPs.

[iliassk]

We don't have the authenticated "email" scope/attribute on the user flow screen. We only have the list of ALL user's "Email Addresses". I also try that for the permissions but the email claim was never collected nor sent in the id_token after being authenticated. The only solution I found was using Identity Experience Framework's custom policies to create a custom signin/signup user flow to collect the signed in user by modifying the SignUpOrSignin.xml adding this line :

<OutputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="email"/>

How about user roles? Do I also need to do all of this to get the user roles in the id_token?

[yiliuTo]

Hi @iliassk , you can use the "Email Addresses" in a user flow to get email infomation about users in the id_token. Would you like to descirbe how you obtain the email claim in the code since you said you failed to collect it from the id_token? Or you can refer to our sample, the token in WebController.java contains users' email address.

[iliassk]

Hi @yiliuTo, your sample doesn't seem to work. Unless you specifically define a Display Name. A user can enter a login as a Display Name which I don't want. I want the email to be the principal/login/email. But in your code, the attribute name is "hardcoded" to be the "name" claim (= Display Name attribute). But even by declaring a custom ClientRegistrationRepository bean to change userNameAttributeName to something different than name, for example, email, I can't retrieve it in my token claims with the built-in policy and I have to use IEF's custom policies to collect it and return in my id_token. Using:

<OutputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="email"/>

And btw I'm using the V2 endpoints since that's what is recommended on the docs and hardcoded in the code :

    private static final String AUTHORIZATION_URL_PATTERN =
            "https://%s.b2clogin.com/%s.onmicrosoft.com/oauth2/v2.0/authorize";

    private static final String TOKEN_URL_PATTERN =
            "https://%s.b2clogin.com/%s.onmicrosoft.com/oauth2/v2.0/token?p=%s";

    private static final String JWKSET_URL_PATTERN =
            "https://%s.b2clogin.com/%s.onmicrosoft.com/discovery/v2.0/keys?p=%s";

    private static final String END_SESSION_URL_PATTERN =
            "https://%s.b2clogin.com/%s.onmicrosoft.com/oauth2/v2.0/logout?post_logout_redirect_uri=%s&p=%s";

This is my permissions configuration:

The authorization url: https://<TENANT>.b2clogin.com/<TENANT>.onmicrosoft.com/oauth2/v2.0/authorize?response_type=code&client_id=<CLIENT_ID>&scope=<CLIENT_ID>%20openid&state=lP2Wp461EFyDrlX9IpkiwEC8hwziax5Gh-0tUyn1abI%3D&redirect_uri=http://localhost:8080/login/oauth2/code&nonce=J2ipl4m3HFyhrE8HNJSDPRuIY29sdk2jEbM8Fg1E7W4&p=<BUILT-IN POLICY>&x-client-SKU=spring-boot-starter

And as you can see no email:

[yiliuTo]

Hi @iliassk , sorry for the late response due to a local Festival. The userNameAttribute value is contained in providers during construction of a client registration. So if you want to set userNameAttribute, you need to set the provider as azure-oauth-provider which you can refer to this issue. However, in your case I think the email address is not stored in id_token for some reason. Could you provide more information about your built_in policy user flow? In the normal case, if the one attribute or claim is selected in a user flow then it can be obtained in the id_token.

[iliassk]

Hi @yiliuTo, for the spring.security.oauth2.client.provider.azure-oauth-provider.user-name-attribute it should also work for the spring boot azure b2c starter?

As for the email claim, I'm using the default built-in user flow. There is no email claim returning the authenticated user, only email addresses that returns ALL emails. It seems to be the case for the last 3 years: https://stackoverflow.com/a/47356532

[yiliuTo]

Hi @iliassk , I misremembered AAD and AAD B2C, and the way you declare a custom ClientRegistrationRepository bean to modify userNameAttributeName can work.

Besides, you mentioned that you use the default built-in userflow, however I cannot find where it is defined in AAD B2C. All the user flows I can see is as below:

Or could you give a screenshot of the application claims of your userflow, which could be found here:

Besides, after setting the application claims as above, my id_token is as below:

As for the content of emails claim, you can refer here.

[saragluna]

Closing this issue.