AAD B2C with Native App - How Can We Force Users to Always Enter Their Passwords When Signing In?

Question

We have a WPF application that allows users to authenticate against an AAD B2C custom policy by calling AcquireTokenInteractive() from MSAL.NET (4.54.1). The sign-in process works, but after signing in the first time, AcquireTokenInteractive() allows users to sign in again just by entering their usernames, without re-entering their passwords. The WPF app runs on computers in an office setting where multiple people have physical access to each machine and usernames are well known to all. Therefore, someone can sign in by typing someone else's username without a password, and this is a security risk.

According to this thread, "There is no default Sign out flow under userflows in AAD B2C". Instead, the thread suggests redirecting the user "to the end_session endpoint that is listed in the OpenID Connect metadata document". But how do we do that from a WPF native app? Is there a method in MSAL.NET that does this? Or, if we send a GET request with a plain .NET HttpClient, how do we identify the user that we want to sign out?

Answer 1

@Anonymous

Thank you for posting your query on Microsoft Q&A. From above description I could understand that you want user to login by passing there credentials each time they access the application.

Please do correct me if this is not the case by responding in the comments section.

The above behavior is where users are able to sign in without entering the password is due to session management of an IDP through which they are logged in Google, Linkedin, Facebook etc and could not be controlled by Azure B2C.

However if the users are accessing the application with B2C local accounts then we could control the session as follows:

• Web app session lifetime (minutes) - Keep this to minimum (15 min)
• Web app session timeout - Set this to Absolute, to re-authenticate after the time period specified.
• Single sign-on configuration - Choose Suppressed/disabled - This setting forces the user to run through the entire user flow upon every execution of the policy.
• Enable Keep me signed in - Keep this unchecked, so that user is not remembered by the session.

Configure Sign-out behavior:

• Add a post logout redirect URI to the application:

Select App registrations, and then select your application.

Select Authentication.

In the Logout URL text box, type your post logout redirect URI, and then select Save.

• To add ID token in logout request, ensure that Require ID Token in logout requests is set to Yes.

This would clear the application's cookies and redirect the user to Azure AD B2C to sign out.

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

Answer 2

Akshay,

Thanks for your quick reply. However, your suggestions don't solve our problem, and I need to give you some further details.

The WPF app is used by employees of our customers, and it runs in our customers' facilities. B2C allows the employees to sign-in to our app with the same UPNs they use in their employers' identity providers, which can be either Azure Entra ID or Okta. We instruct our customers to create an app registration in their IPD, and we federate their app registrations with our B2C tenant by configuring app IDs, URIs, and secret keys on their side and our side. We don't support public IDPs like Facebook, and we don't create purely local B2C accounts.

We know that when our app calls AcquireTokenInteractive(), B2C always sends the user's UPN to the customer's IDP, and the IDP is supposed to prompt the user for their password. But the IDP doesn't do this after the first sign-in, and we believe that's because the IDP thinks the user still has an active session in the application. So, we need a way to force the IDP to always start a new session when it gets a sign-in request from B2C. (Note that we don't want to sign them out of anything other than our app.)

I don't expect you to answer this question for Okta. But for customers with Entra ID, is there a way for them to configure their app registrations in Entra ID so they always require passwords to be re-entered? If that can't be done, can B2C send a sign-out request to the IDP from an orchestration step? And if not, can we send a sign-out request to the IDP from our WPF app?

Answer 3

We opened a support ticket, and the Microsoft B2C team gave us the solution. When B2C sends a sign in request to the IDP, it needs to include a query string parameter that says "prompt=login". (See https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow) In a B2C custom policy, this is done by 1) defining a ClaimType named "prompt", and 2) setting its value to "login" in the IDP's Technical Profile.

    <TrustFrameworkPolicy ...>
        <BuildingBlocks>
            ...
          <ClaimsSchema>
            <ClaimType Id="aadPrompt">
              <DataType>string</DataType>
              <DefaultPartnerClaimTypes>
                <Protocol Name="OpenIdConnect" PartnerClaimType="prompt" />
              </DefaultPartnerClaimTypes>
            </ClaimType
            ...
    ... 
          <ClaimsProvider>
            ...
            <TechnicalProfile Id="Common-AAD">
                <Protocol Name="OpenIdConnect" />
                <OutputTokenFormat>JWT</OutputTokenFormat>
                <InputClaims>
                  <InputClaim 
                     ClaimTypeReferenceId="aadPrompt" 
                     DefaultValue="login"
                  />
                ...

And voila, Entra ID prompts for the user's password.