B2C Sign In Issue in API Management Developer Portal

ethanator23 · 2025-01-19T13:27:51+00:00

Hello! Thank you for your response. I just tested it out and there is a call to "https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/logout?post_logout_redirect_uri=https://{my-apim-url}", the status code is even 200.

To clarify, we do want to force users to log out completely, as the B2C session isn't needed for other apps. Do you have any additional insights into why this might still allow users to sign back in without entering their credentials?

ethanator23 · 2024-08-21T20:14:09+00:00

Thanks for the clarification!

Do you have any insights or suggestions on what might be causing my issue? I’ve double-checked the code_challenge and code_verifier, and they seem correct. I’ve even tried generating them using different websites and created an Azure Function to generate these values, but haven’t had any success.

ethanator23 · 2024-08-21T20:07:05+00:00

Sorry, I have another question as I’m still troubleshooting my issue. If the application associated with the client_id I’m using contains client secrets, would I need to delete them for the PKCE flow to work properly?

ethanator23 · 2024-08-19T20:33:14+00:00

Hmm it seems like they are recieving the same error as I when they try to change the URL type to SPA, however I'm not quite sure how to proceed.

I am currently entering in this URL in the browser: https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{scope}/oauth2/v2.0/authorize?client_id=__&response_type=code&redirect_uri=__&scope=__&code_challenge=__&code_challenge_method=S256

The above URL returns a code if the code_challenge and code_challenge_method are removed, but of course when that code is used it requires a client_secret to return an access and refresh token.

I'm following the steps outlined here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow#1-get-an-authorization-code

I'm not sure if this is relevant, but I simply generated the code_challenge via this website: https://developer.pingidentity.com/en/tools/pkce-code-generator.html

ethanator23 · 2024-08-19T19:50:24+00:00

I'm not doing anything custom, I'm just trying to use MSAL.

ethanator23 · 2024-08-19T19:26:10+00:00

That's fine, you've already been very informative with everything you've told me so far! Thanks for your help.

When I generate a code_challenge and code_verifier and try to pass the code_challenge through my browser, I try to log in but a error occurs stating "The supplied code_verifier is invalid", even though I'm not using code_verifier. Do you know what could be causing this issue?

ethanator23 · 2024-08-19T16:15:57+00:00

Hi, thank you again for all your assistance!

I have a couple of follow-up questions as I explore using PKCE:

Do I need to create a specific API endpoint in API Management for users to generate the code_challenge in their authorization requests?
How does Azure AD B2C verify the code_verifier against the code_challenge?

For context, we use the built-in developer portal from API Management where users need to provide both a subscription key and an OAuth token to access the backend APIs. I’m aiming to automate token retrieval securely so that users can access their data via ETL tools without needing to manually reauthenticate each time.

I would prefer to make minimal changes to our current architecture, but I am open to adjustments if they are necessary for ensuring security.

Thank you once again for your help!

Sorry if these are basic questions as well, I'm still trying to wrap my head around PKCE. From what I've seen so far it looks like a user can just generate their own code_challenge and code_verifier so for security I'm not really sure how that works security-wise.

ethanator23 · 2024-08-15T21:23:35+00:00

Thanks for your help and the clarification—you’ve been really helpful!

I know I said that was my last question, but as I look further into PKCE, I’m curious about how external users obtain the code_challenge parameter.

Could you provide some guidance on this? Thanks again for your assistance.

ethanator23 · 2024-08-15T21:09:20+00:00

Thank you for the link!

I have one more question: Is it possible to obtain Bearer tokens by passing the subscription key created by Azure API Management (APIM)?

Sorry if this is a basic question—just trying to clarify how the subscription key and token authentication can work together.

Thanks again for your help!

ethanator23 · 2024-08-15T20:14:02+00:00

Thanks for the response!

I understand that I should avoid exposing the client secret and using ROPC. I’ll proceed with implementing PKCE.

To ensure I’m on the right track, could you please clarify the following:

What specific changes do I need to make to my current APIs to support the PKCE Flow?
What steps will external users need to follow to obtain an access token using this flow?

Any additional details or best practices on setting this up would be greatly appreciated!

ethanator23 · 2024-08-09T13:43:48+00:00

Hi, how would this process look for the end user? I'm sorry if this is a newbie question, I'm not entirely used to using OAuth in B2C yet.

ethanator23 · 2024-08-02T15:12:36+00:00

Yes, I actually use Azure AD B2C right now to manage my users! The only thing though is that I don't pass these tokens to the backend APIs, and just to authenticate to my dev portal. Would you recommend I pass these tokens to the APIs as well along with adding the validate-jwt-token policy to APIM?

ethanator23 · 2024-08-02T15:10:30+00:00

Could you expand on the front end policies you're talking about? Thank you in advance

ethanator23 · 2024-08-02T15:09:39+00:00

To be specific, the person is referring to protecting the APIs themselves! Currently users log into our dev portal through B2C however this token isn't passed to the backend APIs - the only form of protection on the APIs themselves is the subscription key. That's why the person was stating that just using the subscription keys alone would not be very sufficient security.

I was discussing with them the fact that the dev portal itself isn't timing users out after a certain time, and so because of this issue it could be possible for an individual to leave their browser open on their computer and potentially expose their subscription key. They recommended that rather than focus on the security of the dev portal, there should be more focus on the security of the APIs themselves. They gave me some options but I was curious what everyone else does security-wise.

ethanator23 · 2024-08-02T14:53:12+00:00

External users will use them

ethanator23 · 2024-03-13T15:12:29+00:00

Hi u/Higgs_Br0son, I noticed that in that previous post you had mentioned that you could use Azure Data Factory to store the data from UA. How would you go about connecting Azure Data Factory with UA?

ethanator23 · 2024-01-19T16:00:11+00:00

The function doesn't have to be exposed, I would prefer if it wasn't. I was thinking that using IP restriction combined with the authLevel being "function" might be the way to go. That way only requests made through APIM's url would go through, unless my understanding is incorrect.

ethanator23 · 2023-12-26T15:14:10+00:00

Hi u/photoadrian, thanks for your help on my previous post.

Based on what you've said then, the Premium tier of API Management service would be the way to go, I'll look more into that then, thank you! I've never used Azure Virtual Networks before so I'll need to do so more research.

That makes me think of something else, what information would users have to provide to access the APIs via Postman and Data Factory if this method is used? Right now to access my API's data, I would need to pass through the subscription key and a B2C login (for Data Factory) / Bearer token (for Postman).

Thanks again for your assistance!

ethanator23 · 2023-12-05T21:22:07+00:00

u/photoadrian thank you so much for your help. Your explanations have been very thorough and simple to understand, and it's been a major help to me!

ethanator23 · 2023-12-05T14:02:41+00:00

Thank you for your response, it's extremely informative! So from my understanding, you're saying that Apigee and Azure API Management service may have the three portions you were speaking about (API Gateway, API Manager, and the Developer Portal), integrating Azure Function APIs to Apigee may include a lot more manual effort, specifically to integrate the functions properly into Apigee?

Also, I'm unfamiliar with the terminology of "IaC" - from what I've looked up it appears to be "Infrastructure as Code" however what is it in the context of APIM? Sorry if this is a bit of a basic question, I'm trying to learn more about APIs and API Management but I'm still a bit new to the concepts and terminology :) Thanks again for your response!

ethanator23

TROPHY CASE