如何通过 Azure AD B2C 使用身份验证功能在 Azure Web 应用程序上添加身份验证？

Question

I would like to add authentication to a web application running on Azure Web Apps using Azure AD B2C.

To do so, I followed the following steps:

1. Create an tenant on Azure AD B2C
2. Add app registration and client key
3. Add user flow
4. From "Authentication" (on the left side panel) on Azure Web Apps, I chose Microsoft as identity provider and supplied configurations based on the values obtained in the previous steps.

But when I accessed the Azure Web Apps url, I was not redirected to the login page, but got the following message.

{"code":401,"message":"An error of type 'unauthorized_client' occurred during the login process: 'AADB2C90057: The provided application is not configured to allow the 'OAuth' Implicit flow.\r\nCorrelation ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\r\nTimestamp: 2021-04-09 10:06:00Z\r\n'"}

Also, in the edit page of identify provider, it says Application with ID xxxxxxxxxxxxxxxx not found in the current tenant. Tenant ID: yyyyyyyyyyyyyyyyy. Application with ID xxxxxxxxxxxxxxxx not found in the current tenant. Tenant ID: yyyyyyyyyyyyyyyyy.

This obviously means that the application I registered on the Azure B2C tenant is not on the same tenant as one the Azure Web Apps is linked.

My question is "how to add authentication on Azure Web App using its "Authentication" feature via Azure AD B2C?". Does Microsoft identity provider of The "Authentication" feature only support clients on the same tenant as Azure Web Apps?

Answer 1

how to add authentication on Azure Web App using its "Authentication" feature via Azure AD B2C?

According to your error, it should be caused by your application not enabling implicit flow. So, you need to enable it in Azure B2C.

1. Go to Azure B2C portal>App registrations>your app>Authentication.

2.Go to Azure B2C portal>Applications (Legacy)>your app.

Does Microsoft identity provider of The "Authentication" feature only support clients on the same tenant as Azure Web Apps?

Yes.

Answer 2

Go to Azure App Service --> Under Settings Click Authentication AppService Authentication

Edit Authentication Settings and select RequiresAuthentiction Authentication allow

Then Click on Add Identity Provider and Select the Identity provider from the list Select Provider

After Selecting Identity Provider choose App Registration type . Microsoft itsef creates and registers App registration for top 2 choices --> If you choose Provide the details of an existing app registration follow below steps

To create an App Registration in AAD follow this link-- https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#register-an-application-with-azure-ad-and-create-a-service-principal

1.Fill the Application Client Id which is App Registration ID you will get on creating App Registration

2.provide client secret which you can create on App Registration

3. Issuer url would be -- https://sts.windows.net/{tenant-id}/v2.0 (replace with your Tenant ID inside{})

4. Allowed token audiences would be -- api://{Application-Client-Id} (replace with your Application Client Id inside{}) Authentication and Click Add

5.Final task is to add Authentication scope Goto your AppRegistration in AAD and click Authentication Authentication AAD

6. click on Add a platform and select Web

7.After selecting add a Redirect URI Redirecting URI would be https://{appservice-name}.azurewebsites.net/.auth/login/aad/callback (replace with your app service name inside{}) and select ID Tokens Rediret URL Click on configure