Share via

Azure B2C Authentication with PHP

House of Giants, LLC 21 Reputation points
2021-03-15T20:06:26.32+00:00

Hi there!

We have a PHP application built on the Zend Framework that we'd like to integrate with Azure B2C for user authentication.

I have my application registered in by B2C tenant, and I planned on using OAuth to redirect a user, and grab tokens once they're logged in. However, I'm looking for code examples (of which I can only find a few) and the main one appears to be deprecated - https://github.com/Azure-Samples/active-directory-php-graphapi-web/tree/archive

I'm assuming it's because it's using Azure AD V1.0.. however, is there some reason I'm not finding that I shouldn't use PHP to do the authentication/redirection? Do I instead need to use Javascript and MSAL.js, and then pass the token back from the client to my server?

Any guidance, suggestions, tips, etc. would be much appreciated!

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,931 questions
Microsoft Security Microsoft Entra Microsoft Entra External ID

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator
    2021-03-24T19:07:24.39+00:00

    @House of Giants, LLC
    Thank you for the quick follow up on this!

    When it comes to getting an access token within Azure B2C, you first need to get an authorization code. Below is an example of a request to the /authorize endpoint for an authorization code. Custom domains are not supported for use with access tokens. Use your tenant-name.onmicrosoft.com domain in the request URL. For more info - Request a token 

    GET https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/authorize?  
client_id=<application-ID>  
&nonce=anyRandomValue  
&redirect_uri=https://jwt.ms  
&scope=https://<tenant-name>.onmicrosoft.com/api/read  
&response_type=code

    After successfully receiving the authorization code, you can use it to request an access token: 

    POST <tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/token HTTP/1.1  
Host: <tenant-name>.b2clogin.com  
Content-Type: application/x-www-form-urlencoded  
  
grant_type=authorization_code  
&client_id=<application-ID>  
&scope=https://<tenant-name>.onmicrosoft.com/api/read  
&code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMC...  
&redirect_uri=https://jwt.ms  
&client_secret=2hMG2-_:y12n10vwH...

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

  2. JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator
    2021-03-25T22:57:38.353+00:00

    @House of Giants, LLC
    I also worked with my team on this, and we were able to get the auth-code grant flow working for B2C, I'll post the steps below. 

    Request to /authorize endpoint:   
GET https://<B2C-tenant-name>.b2clogin.com/<B2C-tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/authorize?client_id=<client-id>&response_type=code&redirect_uri=http://jwt.ms&response_mode=fragment&scope=<client-id>%20offline_access&state=1234  
  
Note: The above request will only return a code as fragment in the browser address bar and no id token would be returned.  
  
  
Request to /token endpoint:  
POST https://<B2C-tenant-name>.b2clogin.com/<B2C-tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/token  
    
Header: Content-Type:application/x-www-form-urlencoded  
Body:  
grant_type:authorization_code  
client_id:<client-id>  
client_secret:<client-secret>  
redirect_uri:https://jwt.ms  
scope:<client-id> offline_access  
code: <code received from the above request>  
  
Note: Call to the token endpoint should return all the three tokens access_token, id_token and refresh_token.

    Can you also try doing these calls without PHP (i.e. through Postman) and see if you can fetch the tokens?

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

  3. JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator
    2021-04-01T20:29:42.463+00:00

    @House of Giants, LLC

    When it comes to Access tokens with Azure, this is a security token that's issued by an authorization server as part of an OAuth 2.0 flow. The Microsoft identity platform implements security tokens as JSON Web Tokens (JWTs) that contain claims. Since JWTs are used as security tokens, this form of authentication is sometimes called JWT authentication.

    When it comes to decrypting JWT tokens in general (I haven't tested with PHP), you should be able to leverage - https://jwt.ms/ - For more info.

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.