Anonymous access to Azure AD B2C

Published in

The new control plane

2 min readOct 31, 2022

Image of an anonymous person — the head is a question mark — Wikimedia Anonymous emblem.svg

This is a use case that I am regularly asked about.

The first thing to realise is that because the user is anonymous, they have no identity e.g. no first name, login, password, objectId etc. so you can’t do reads and writes into B2C.

You could e.g. have a website that is largely open but you want to give some people the ability to log in. So you could use a claims resolver to get some query string parameter and if set, show the login screen otherwise allow access.

The problem is that the MSAL library expects a JWT back when you “login” so you need to return an “anonymous” JWT.

You have zero user information so it all has to be canned information. Maybe your application wants to know that it is an anonymous user so you could have a flag set to “True”.

I used this .NET Core sample.

As usual, the gist is here.

The user journey is simply:

<UserJourneys>
  <UserJourney Id="AnonSignUpOrSignIn">
   <OrchestrationSteps>   
    <OrchestrationStep Order="1" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer"/>
   </OrchestrationSteps>
  </UserJourney>
 </UserJourneys>

It’s just a “SendClaims” step.

The actual claims look like:

<OutputClaims>
 <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" AlwaysUseDefaultValue="true" DefaultValue="Anon User"/>
 <OutputClaim ClaimTypeReferenceId="givenName" AlwaysUseDefaultValue="true" DefaultValue="Anon"/>
 <OutputClaim ClaimTypeReferenceId="surname" AlwaysUseDefaultValue="true" DefaultValue="User"/>
 <OutputClaim ClaimTypeReferenceId="anonUser" AlwaysUseDefaultValue="true" DefaultValue="true"/>
 <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" AlwaysUseDefaultValue="true" DefaultValue="123456"/>
 <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}"/>
</OutputClaims>

When we run the application, we see:

Image showing web app. with sign-in button

We click “Sign Up” and the “dummy” JWT is returned giving:

Image showing signed-in user with “Hello Anon User” text

The “dummy” JWT looks like:

{
“exp”: 1667182885,
“nbf”: 1667179285,
“ver”: “1.0”,
“iss”: “https://tenant.b2clogin.com/65f7…2316/v2.0/",
“sub”: “123456”,
“aud”: “7bd3…1760”,
“acr”: “b2c_1a_anon_susi”,
“nonce”: “defaultNonce”,
“iat”: 1667179285,
“auth_time”: 1667179285,
“name”: “Anon User”,
“given_name”: “Anon”,
“family_name”: “User”,
“anonUser”: true,
“tid”: “65f7…2316”
}

You have to have a “sub” which is normally a GUID e.g objectId but it just has a dummy value of “123456”

If you wanted, you could always add a sign-up flow to capture some information and return that in the JWT.

All good!

Anonymous access to Azure AD B2C

Written by Rory Braybrook