Using Azure AD B2C custom policies to implement Profile Edit on Entra External ID with Native auth
Note that this post is about a PoC; it is not production-ready, so use it at your own risk!
A full list of all my posts on this approach is here.
The function calls are not protected. In the real world, the “auth” call returns an access token, which the application passes back to, e.g. the “read” function, which checks the token’s validity. You need to implement this code.
Please read my previous post as I won’t repeat all the details.
The previous post used ROPC as the authentication flow. This is not secure and is deprecated. The safest way to do this is to use the native authentication API.
This has an SDK for mobile as that is the intended target audience, but it is just REST API calls, so there is no reason that you can’t use the flow for web applications.
(The mobile SDK is available for Kotlin and Swift).
As usual, the code is in a gist.
The gist contains just the updated “auth” method. To use it, update the Azure function in the gist in the previous post.
As an experiment, I generated the code from a working Postman JSON export file using Github Copilot Pro.
It took a few iterations, but I got there in the end 😃
Note that your application registration needs to have these settings for native auth. to work.
All good!
