loginpass icon indicating copy to clipboard operation
loginpass copied to clipboard

Published 20 hours ago verified publisher icon authlib

Azure AD B2C Provider

Open askpatrickw opened this issue 5 years ago • 0 comments

Azure AD B2C supports OpenID Connect and would be a good enterprise quality service to add to Authlib loginpass.

I don't understand this library enough to add this, but I can help with some of the base information and I'm vry happy to help with live testing.

Here's a example from a live tenant configuration URL

f'https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/v2.0/.well-known/openid-configuration?p={policy}'

Response

{
  f"issuer": "https://{tenant}.b2clogin.com/{SOME_GUIDE}/v2.0/",
  f"authorization_endpoint": "https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/authorize?p={policy}",
  f"token_endpoint": "https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/token?p={policy}",
  f"end_session_endpoint": "https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/logout?p={policy}",
  f"jwks_uri": "https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/discovery/v2.0/keys?p={policy}",
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "response_types_supported": [
    "code",
    "code id_token",
    "code token",
    "code id_token token",
    "id_token",
    "id_token token",
    "token",
    "token id_token"
  ],
  "scopes_supported": [
    "openid"
  ],
  "subject_types_supported": [
    "pairwise"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ],
  "claims_supported": [
    "emails",
    "newUser",
    "oid",
    "sub",
    "idp",
    "extension_customUserAttribute",
    "tfp",
    "iss",
    "iat",
    "exp",
    "aud",
    "acr",
    "nonce",
    "auth_time"
  ]
}

Some notes:

The host URL uses tenant more than once:

    host = 'https://{}.b2clogin.com/{}.onmicrosoft.com/'.format(tenant, tenant)
    authorize_url = '{}oauth2/v2.0/authorize'.format(host)
    token_url = '{}oauth2/v2.0/token'.format(host)
   jwk_set__url = '{}discovery/v2.0/keys'.format(host)
   iss _url = https://{}.b2clogin.com/__SOME_GUID__/v2.0/'.format(tenant)  <-- Note the GUID, not sure where that value originates from

Sign In, Sign Up, etc require more kwargs:

client_kwargs': {
    'client_id': client_id,
    'nonce': '??',
    'p': policy,
    'response_type': 'id_token',
    'scope': 'openid offline_access',
},

I show nonce as required, but its unclear to me if the blueprints are handling that.

If I can help in any other way, please ask.

askpatrickw avatar Aug 04 '19 22:08 askpatrickw