Share via

Non-Interactive login for application registered in Azure B2C

Anonymous
2024-04-08T18:53:05.5666667+00:00

I am setting up a non-interactive login for a single-page application.

Context of SPA:

  1. SPA is written in React.
  2. It uses a .Net based backend. ( Access token is required to access the API exposed by the backend).
  3. SPA uses MSAL for authentication purposes.
  4. There is already an interactive login through local singIn and singUp.
  5. The UI and backend applications are registered in a single Azure B2C tenant.

The team is now looking at new ways for third-party application users to have a non-interactive login to our single-page application. i.e., the users from their third-party application, when they click on a button, should be redirected to Our SPA, and in the background, they should be authenticated into our SPA.

I have tried ROPC as an option for non-interactive login, and I am getting an access token from SPA, which I cannot access on the backend. I have followed the documentation for ROPC and allowed oauth2AllowImplicitFlow: true for UI and backend applications.

I just wanted to know if there is a better way of doing non-interactive login in B2C. Any leads would be helpful.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Mathur 30,436 Reputation points Microsoft Employee Moderator
    2024-04-12T07:00:00.4633333+00:00

    Hi @Ananth Rao ,

    Thanks for reaching out.

    The recommended way of supporting non-interactive logins for single-page applications (SPAs) in Azure Active Directory B2C (Azure AD B2C) is to use OAuth 2.0 Authorization code flow (with PKCE). This flow allows the application to exchange an authorization code for ID tokens to represent the authenticated user and Access tokens needed to call protected APIs. In addition, it returns Refresh tokens that provide long-term access to resources on behalf of users without requiring interaction with those users.

    https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-spa

    Regarding your issue with ROPC, it is not recommended for production environments, and it also requires a high degree of trust in the application and carries risks that are not present in other authentication flows.

    Reference to get access token using ROPC flow for API - https://stackoverflow.com/questions/74724521/non-interactive-authentication-and-authorization-in-azure-ad-b2c

    Hope this will help.

    Thanks,

    Shweta

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.