Skip to content

Files

Latest commit

ktoliverktoliver
PR review, add comma
Jan 20, 2022
ebc0f2b · Jan 20, 2022

History

History
172 lines (121 loc) · 11.6 KB

api-management-howto-aad-b2c.md

File metadata and controls

172 lines (121 loc) · 11.6 KB
title titleSuffix description services author ms.service ms.topic ms.date ms.author
Authorize developer accounts by using Azure Active Directory B2C
Azure API Management
Learn how to authorize users of the developer portal in Azure API Management by using Azure Active Directory B2C
api-management
dlepow
api-management
how-to
09/28/2021
danlep

How to authorize developer accounts by using Azure Active Directory B2C in Azure API Management

Azure Active Directory B2C is a cloud identity management solution for consumer-facing web and mobile applications. You can use it to manage access to your API Management developer portal.

In this tutorial, you'll learn the configuration required in your API Management service to integrate with Azure Active Directory B2C. As noted later in this article, if you are using the deprecated legacy developer portal, some steps will differ.

For information about enabling access to the developer portal by using classic Azure Active Directory, see How to authorize developer accounts using Azure Active Directory.

Prerequisites

[!INCLUDE premium-dev-standard.md]

Configure sign up and sign in user flow

In this section, you'll create a user flow in your Azure Active Directory B2C tenant containing both sign up and sign in policies. For detailed steps, see Create user flows and custom policies in Azure Active Directory B2C.

  1. In the Azure portal, access your Azure Active Directory B2C tenant.
  2. Under Policies, select User flows > + New user flow.
  3. On the Create a user flow page, select the Sign up and sign in user flow.
  4. Provide the following information:
    1. Enter a unique name for the user flow.
    2. In Identity providers, select Email signup.
    3. In User attributes and token claims, select the attributes and claims needed for the API Management developer portal (not needed for the legacy developer portal). Application claims
      • Attributes: Given Name, Surname
      • Claims: Email Addresses, Given Name, Surname, User’s ObjectID
  5. Select Create.

Configure identity provider for developer portal

  1. In a separate Azure portal tab, navigate to your API Management instance.

  2. Under Developer portal, select Identities > + Add.

  3. In the Add identity provider page, select Azure Active Directory B2C.

  4. In the Add identity provider window, copy the Redirect URL.

    :::image type="content" source="media/api-management-howto-aad-b2c/b2c-identity-provider-redirect-url.png" alt-text="Copy redirect URL":::

  5. Return to the browser tab for your Azure Active Directory B2C tenant in the Azure portal. Select App registrations > + New registration.

  6. In the Register an application page, enter your application's registration information.

    • In the Name section, enter an application name of your choosing.
    • In the Supported account types section, select Accounts in any identity provider or organizational directory (for authenticating users with user flows). For more information, see Register an application.
    • In Redirect URI, enter the Redirect URL your copied from your API Management instance.
    • In Permissions, select Grant admin consent to openid and offline_access permissions.
    • Select Register to create the application.

    :::image type="content" source="media/api-management-howto-aad-b2c/b2c-app-registration.png" alt-text="Register a new application":::

  7. On the app Overview page, find the Application (client) ID and copy the value to the clipboard.

    :::image type="content" source="media/api-management-howto-aad-b2c/b2c-app-id.png" alt-text="Application ID":::

  8. Switch back to the API Management Add identity provider page and paste the ID into the Client Id text box.

  9. Switch back to the B2C app registration. Select Certificates & secrets > + New client secret. :::image type="content" source="media/api-management-howto-aad-b2c/generate-app-key.png" alt-text="Create client secret":::

    • In the Add a client secret page, enter a Description and select Add.
    • Record the key in a safe location. This secret value is never displayed again after you leave this page.

  10. Switch back to the API Management Add identity provider page, and paste the key into the Client secret text box.

  11. Switch back to the B2C app registration. In the left menu, under Manage, select Authentication.

    • Under Implicit grant and hybrid flows, select both the Access tokens and ID tokens check boxes.
    • Select Save.

  12. Switch back in the API Management Add identity provider page.

    • In Signin tenant, specify the domain name of the Azure Active Directory B2C tenant.

    • The Authority field lets you control the Azure Active Directory B2C login URL to use. Set the value to <your_b2c_tenant_name>.b2clogin.com.

    • Specify the Signup Policy and Signin Policy from the B2C tenant policies.

    • Optionally provide the Profile Editing Policy and Password Reset Policy.

      :::image type="content" source="media/api-management-howto-aad-b2c/add-identity-provider.png" alt-text="Active Directory B2c identity provider configuration":::

  13. After you've specified the desired configuration, select Add.

After the changes are saved, developers will be able to create new accounts and sign in to the developer portal by using Azure Active Directory B2C.

Developer portal - add Azure Active Directory B2C account authentication

Important

You need to republish the developer portal when you create or update Azure Active Directory B2C configuration settings for the changes to take effect.

In the developer portal, sign-in with Azure Active Directory B2C is possible with the Sign-in button: OAuth widget. The widget is already included on the sign-in page of the default developer portal content.

  1. To sign in by using Azure Active Directory B2C, open a new browser window and go to the developer portal. Select Sign in.

  2. On the Sign in page, select Azure Active Directory B2C.

    :::image type="content" source="media/api-management-howto-aad-b2c/developer-portal-sign-in.png" alt-text="Sign in to developer portal":::

  3. You're redirected to the signup policy that you configured in the previous section. Choose to sign up by using your email address in the Active Directory B2C tenant

When the signup is complete, you're redirected back to the developer portal. You're now signed in to the developer portal for your API Management service instance.

:::image type="content" source="media/api-management-howto-aad-b2c/developer-portal-home.png" alt-text="Sign in to developer portal complete":::

Although a new account is automatically created whenever a new user signs in with Azure Active Directory B2C, you may consider adding the same widget to the signup page.

The Sign-up form: OAuth widget represents a form used for signing up with OAuth.

Legacy developer portal - how to sign up with Azure Active Directory B2C

[!INCLUDE api-management-portal-legacy.md]

Note

To properly integrate B2C with the legacy developer portal, use standard v1 user flows, in combination with enabling password reset before signing up/signing into a developer account using Azure Active Directory B2C.

  1. Open a new browser window and go to the legacy developer portal. Click the Sign up button.

    :::image type="content" source="media/api-management-howto-aad-b2c/b2c-dev-portal.png" alt-text="Sign up in legacy developer portal":::

  2. Choose to sign up with Azure Active Directory B2C.

    :::image type="content" source="media/api-management-howto-aad-b2c/b2c-dev-portal-b2c-button.png" alt-text="Sign up with Azure Active Directory B2C":::

  3. You're redirected to the signup policy you configured in the previous section. Choose to sign up by using your email address or one of your existing social accounts.

    [!NOTE] If Azure Active Directory B2C is the only option enabled on the Identities tab in the Azure portal, you'll be redirected to the signup policy directly.

    :::image type="content" source="media/api-management-howto-aad-b2c/b2c-dev-portal-b2c-options.png" alt-text="Sign up options in legacy developer portal":::

    When the signup is complete, you're redirected back to the developer portal. You're now signed in to the developer portal for your API Management service instance.

Next steps