Azure AD B2C tips
how to have separate staging and testing token enrichment process without creating another Azure AD B2C Tenant.
Based on your use case, you might want a separate process to add custom domains to your user flow. Azure B2C engine needs to call your APIs to get the appropriate claims to include in the JWT token. However, sometimes (especially during the staging environment), you might still want to have two separate API endpoints for Azure to call. One is the backend that sits in the staging environment, and the other one is the endpoint at your local dev environment.
A secure solution would require you to create different Azure tenants for testing and production. However, during the staging environment, you can make the process simpler by using a temporary custom policy that is based on the final policy to call those APIs.
A secure solution would require you to create different Azure tenants for testing and production. However, during the staging environment, you can make the process simpler by using a temporary custom policy that is based on the final policy to call those APIs.
The process is as follows:
- ensure that the API endpoints reside in the main user flow policy.
- create a duplicate of the custom policy that holds the orchestration steps and the API endpoint's
- put the appropriate URLs for each endpoint in each file.
- upload it to Azure.
- update your application to use the new test policy in the dev environment.
First step
The first step is to check that the technical profile exists in the policy file that contains the user journey.
<TechnicalProfile Id="EnrichToken">
<DisplayName>...</DisplayName>
<Metadata>
<Item Key="ServiceUrl">https://yourendpoint.com/api/.../</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="..." />
...
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="..."/>
...
</OutputClaims>
<IncludeTechnicalProfile ReferenceId="...." />
</TechnicalProfile>
Step 2: create the test policy
- create a duplicate of that policy file.
- Remove all parts that you don't need to change.
- include the main policy file as the base policy of the test policy file.
- since the Identity Experience framework has an inheritance model, all information would be included.
<TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" TenantId="yourtenant.onmicrosoft.com" PolicyId="B2C_1A_yourNewTestPolicyFileName" PublicPolicyUri="http://yourtenant.onmicrosoft.com/B2C_1A_yourNewTestPolicyFileName" TenantObjectId="...">
<BasePolicy>
<TenantId>yourtenant.onmicrosoft.com</TenantId>
<PolicyId>B2C_1A_NameOfPreviousPolicyFile</PolicyId>
</BasePolicy>
....
</TrustFrameworkPolicy>
Step 3: change the endpoints
In the test policy file, replace the endpoint with the development API endpoint.
<ClaimsProviders>
<ClaimsProvider>
<DisplayName>...</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="EnrichToken">
<Metadata>
<Item Key="ServiceUrl">https://yourdevendpoint.com/api/...</Item>
</Metadata>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
</ClaimsProviders>
Step 4: Upload to Azure
Upload the created test policy to azure.
Final step: updating the application.
Add the custom logic in your application to request this new test policy for authentication in the dev environment.
If you're using Blazor or ASP.NET, you can use the app settings to configure that.
next to appsettings.json, create appsettings.Development.json (case sensitive)
override the values for the policy
"AzureAd": {
"Authority": "https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/B2C_1A_yourNewTestPolicyFileName"
}
Finally, test.
Thanks for reading. Have a good day!
Top comments (0)