Azure AD B2C — Create and Register User Flows
Welcome back again to the 2nd part of my Azure AD B2C journey. In the previous article I have detailed how you could create a Azure AD B2C tenant and configure. If you haven’t gone through it, I would highly recommend to go through that article before this one. Here’s the link to it Azure AD B2C — Hello World! In this article I would like to experiment with the next step which would be to create User Flows.
User Flows — What are they and why do we need them? Well user flows are ways to define how we want control the behavior of signup / signin, what account types we want to create, what attributes we want to collect like for example first name, last name etc., if we want to use MFA, customize the interface as or if required.
However, I would like to keep this article simple and keep the scope to just create a User Flow and verify the JWT token returned. But before creating User Flows, we will have to create a App Registration to use it with our User Flows. So, let’s go and create a simple App Registration.
Go to Azure AD B2C and click on “App Registrations” > New Registration
This should open a blade where you could enter the App details
Note that here I’ve used https://jwt.ms as the redirect URL. Like I mentioned earlier, in this article I’m limiting the scope to create User Flows and verify the JWT tokens. Apparently, jwt.ms is a good way to verify tokens and information you want to return to your application once the user flow is executed. Ideally, this could be your web app / API URL that would handle the response from Azure AD B2C. We’ll look at how we can do that in the future articles.
The account types will have to be last option as we are not limiting to any organizational directory and keep it open to public to use the web application or API.
Once, you fill in the required details, hit “Register”. It should take a minute for Azure to provision the App Registration. As the scope of this article is Azure B2C, I will not go into details of App Registration 😊.
If you are wondering, why do we need to create a App Registration in the first place! This is because we want to tell Azure AD B2C what service will be using the User Flows. In this way, we are limiting requests coming from anywhere else.
Note: Once you register your app, make sure to go to “Authentication” and grant permissions based on the type of app you will be using the user flow with. In my case, I’m selecting both as I would like to experiment with different types of apps.
If you’d like to know more about identity and how the authentication grant flow works, please go through the MS documentation — OAuth 2.0 implicit grant flow — The Microsoft identity platform | Microsoft Docs
CREATING USER FLOWS
Now, go back to Azure AD B2C and click on “User Flows” and then on “New user flow”
Azure provides quite a few user flows that will suffice in most scenarios. It’s usually easy to stick to one of these unless you’ve got a very peculiar user flow in which case, you may be required to create custom policies. I haven’t personally gone through it yet but if I do, I’ll try come up with an article of how you can do it. But, let’s discuss the one’s that Azure provides by default.
I wouldn’t go through each of those in this article as they are quite the same flow to set it up. But, I’ll go through the “Sign up and Sign in” user flow in this article.
Sign up and sign in:
At the time I’m creating this article, Azure is providing a Recommended version and a Legacy version of this user flow. Let’s go ahead with the MS recommended version option as they may grandfather the legacy one in future🤷♀️!
Click “Create” and this should take you to a page where you can enter more details
Name: As specified needs a unique name for the user flow for your tenant. Could be anything that makes sense to you.
Identity providers: Here by default you will have only “Email signup” as I’ve got but you can add different identity providers like Google, Facebook etc., which I will go into detail in another article. But for the context of this article I’ll limit to go with MS default option which is email. Otherwise, this article will be too long.
Multifactor authentication: You can opt for using Multifactor authentication using various options provided. Let’s not use that as of now.
Conditional access: This for if you want to enforce rules of when the MFA needs to happen or does it need to happen every time someone goes through the user flow.
User attributes and token claims: Here you can select all the attributes you want the user flow to query the user and also what are the attributes you want to include in the response. You can select “show more…” to see a full list of attributes. In my example, I’m selecting the following attributes to collect and to be included in the return claim.
Click on “Create”. This would take a moment to create your user flow and when ready will show up in the list of user flows you’ve got.
Clicking on the created user flow would show up more details:
You can test your user flow by clicking on the “Run user flow” button at the top
This should come up with the below screen. Because we don’t have an account, click on “Sign up now”
Follow the instructions and enter your details in the sign up page. It will ask you to verify your email and enter the details for the attributes we configured to collect in our earlier steps.
You’ll get a verification email with a code and once you verify your email, hit “Create”.
This should take you to the redirection URL that we set earlier in our App Registration right at the beginning. In our example, I’ve set it to https://jwt.ms. So, Azure AD B2C creates the user and sends back a JWT token which will look as below:
This is a really good way to verify whether your JWT token is valid or not and also whether it’s returning everything that you configured in your return claims attributes. If you need to understand more about each of the claims returned, you can click on the “Claims” tab and it would give you more detailed information about what each of the returned claims mean.
If you want to know more about JWT tokens in general — https://jwt.io/introduction
As I’m learning along, please let me know if you think there was something that I’ve missed explaining and I’ll try my best to cover that in another article 😊🙏🤘.
Previous article < Azure AD B2C — Hello World!