Share via

Flow of Azure B2C (OpenID) when using a custom Identity Provider to authenticate and then redirect to external client

Matt 0 Reputation points
2023-02-05T21:04:29.19+00:00

Hello!

I'm having some problems with the authentication flow from one web application to another web application, where B2C acts as the "middleman" between the two applications allowing for a seamless login (one directional). My scenario is as follows:

I have a web application (1) using a user flow that uses my Custom Identity Provider, this allows me to authenticate into B2C successfully. I then want to use this authenticated session in B2C to allow a second web application (2) to be able to be logged in automatically. I don't want the two applications to be aware of each other, all communication I want is strictly via B2C.

  1. User logs into web application 1
  2. User clicks a link in web application 1 to initiate the flow with B2C
  3. B2C calls my Custom Identity Provider's Authorization endpoint to create the session in B2C
  4. A redirect occurs to web application 2 whereby an automatic redirect to B2C's authorization endpoint takes place
  5. *** This is where I would expect the code/user details to be returned to web application 2, however, B2C calls my Custom Identity Provider's Authorization endpoint again

A problem I'm having is when web application 2 calls B2C's authorization endpoint to retrieve the B2C's logged in user's details, B2C tries to authenticate with web application 1, even though a session already exists in B2C. I assume this is because both web applications are set to use the same user flow (which is assigned my Custom Identity Provider). I tried setting the second web application to a different user flow (Manual Login), but when attempting to authenticate I get the manual login screen for B2C even though a session already exists.

To confirm, the user flows I used for testing are predefined user flows, I am not using custom policies.

My set-up is a little complicated whereby the scenario assumes there will always be an authenticated session in B2C when it attempts to get the logged in user's details.

To confirm, I already have "Tenant" selected under the session behaviour of the user flow:

User's image

If it seems I am misunderstanding some fundamentals of B2C and my scenario isn't feasible, then please do let me know.

Is there a way to recognise in B2C that a user is already authenticated and therefore no need to reauthenticate with my Custom Identity Provider?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
3,013 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akshay-MSFT 17,906 Reputation points Microsoft Employee
    2023-02-08T10:36:06.3066667+00:00

    @Matt

    As per Federated identity provider session, If there is an active session at Facebook (federated IDP) , the user is not prompted to provide their credentials and is immediately redirected to Azure AD B2C with a Facebook token.

    Kindly validate that the application is not using the prompt=login parameter which would invalidate the session.

    Please do let me know if you have any further queries in the comments section.

    Thanks,

    Akshay Kaushik

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.