Azure AD B2C Pains

I am currently trying to do something that I thought would be simple (famous last words…): using Microsoft Azure’s Active Directory Business 2 Consumer authentication system to authenticate website users against the Microsoft Account identity provider (i.e., allow people to use the IDs they’ve registered with Microsoft).

It turns out this is a real PITA. In fact, it was only slightly less of a PITA to get the Google identity provider to work. 

Why? Because the Azure portal and many (all?) of the Azure subsystems are evolving so rapidly that even online documentation is out of date. Which means that even following the directions, from Microsoft, is no guarantee that the Microsoft software will work the way it’s supposed to work. Sometimes, in fact, you end up causing yourself lots of problems, by trying to map the existing, inaccurate directions to what you’re seeing on screen in front of you.

Like the time I was attempting to follow steps directing me to “switch into the correct Azure AD B2C folder”, and I inadvertently moved every one of my Azure assets into a different folder, causing them to disappear from the portal. Turned out to be easy enough to fix — after raising an irate support request through the portal — but not something I’d like to experience again. Unfortunately, given the state of things Azure, I suspect it’s only a matter of time. Maybe I’ll enjoy being bald, after I rip out all of my hair…

In the interest of documenting one small such documentation/instruction mismatch, the Azure AD B2C team recently changed the site they want you to use, from 

https://login.microsoftonline.com/tfp/

to 

https://ridemonitor.b2clogin.com

In and of itself that’s not a big deal; but you have to remember to change it in both the Azure portal and in your app, because inconsistencies cause the Azure AD B2C system to fail, complaining about redirect problems. I learned this the hard way, by making the change only in the Azure portal, and then spending hours scratching my head wondering why I was getting that redirect error.

The solution was to change the line in the appsettings.json file which defined the Instance:

{
  "AzureAdB2C": {
    "Instance": "https://ridemonitor.b2clogin.com",
    "ClientId": "redacted",
    "ClientSecret": "redacted",
    "CallbackPath": "/signin-oidc",
    "Domain": "ridemonitor.onmicrosoft.com",
    "Tenant": "ridemonitor.onmicrosoft.com",
    "RedirectUri": "https://localhost:5000/signin-oidc",
    "SignUpSignInPolicyId": "b2c_1_SignUpIn",
    "ResetPasswordPolicyId": "b2c_1_PWReset",
    "EditProfilePolicyId": "b2c_1_ProfileEditing"
  },
  "Logging": {
    "LogLevel": {
      "Default": "Warning"
    }
  },
  "AllowedHosts": "*"
}

As an aside, it sure would be nice if there was a way to configure the Azure AD B2C system so that you could put it in some kind of debug/trace mode, and have it log what it was doing and what caused it to fail. Depending upon brief error messages at the end of the process isn’t particularly helpful.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Archives
Categories