Using native authentication in Entra External ID aka bring your own login screen and login with email and passwordđ
Back in the day when ADFS came out, the first question I was asked was, âCan I customise and use my own login screen?â â sorry, no.
And then, when Azure AD came out, the first question I was asked was, âCan I customise and use my own login screen?â â sorry, no.
And then, when Azure AD B2C came out, the first question I was asked was, âCan I customise and use my own login screen?â â sorry, no.
And then, when Entra External ID came out, the first question I was asked was, âCan I customise and use my own login screen?â â yes, you can!
The overview is here.
There is a table in the overview that contrasts the Microsoft supplied login screen vs. bring your own including:
Native authentication is particularly suited to native mobile apps. where you can now provide the whole journey inside the app. with full customisation.
To that end, an SDK is provided for IOS and Android.
But there is no reason you canât do this in a web. app since it is simply an API.
Iâm ignoring the UI here but you can design anything you like as long as the user is asked to enter an email and password.
Iâve used Postman to generate the flow and have concentrated on the sign in API with email and password. Other flows to follow.
Note: The endpoints in the documentation are currently wrong i.e. not:
{tenant_subdomain}.onmicrosoft.com/oauth2/v2.0/initiate
but rather:
{tenant_subdomain}.ciamlogin.com/{tenant_subdomain}.onmicrosoft.com/oauth2/v2.0/initiate
In terms of the app. registration, use the âMobile and desktop applicationsâ platform and ensure these settings are on:
Step 1
where the URL is:
https://tenant.ciamlogin.com/tenant.onmicrosoft.com/oauth2/v2.0/initiate
and the form parameters are:
client_id=11...11
&challenge_type=password redirect
&username=nativeauth@company.co.nz
where the username is the name of the person who is logging in.
The response will be:
{
"continuation_token": "AQA...iAA"
}
Step 2
where the URL is:
https://tenant.ciamlogin.com/tenant.onmicrosoft.com/oauth2/v2.0/challenge
and the form parameters are:
client_id=11...11
&challenge_type=password redirect
&continuation_token=AQA...iAA
where the continuation token is what was returned in step 1.
The response will be:
{
"continuation_token": "AQA...gAA",
"challenge_type": "password"
}
Step 3
where the URL is:
https://tenant.ciamlogin.com/tenant.onmicrosoft.com/oauth2/v2.0/token
and the form parameters are:
continuation_token=AQA...gAA
&client_id=11...11
&grant_type=password
&password=user password
&scope=openid offline_access
where the continuation token is what was returned in step 2.
The response will be:
{
"token_type": "Bearer",
"scope": "openid profile email 00000003-0000-0000-c000-000000000000/User.Read",
"expires_in": 4349,
"ext_expires_in": 4349,
"access_token": "eyJ...zag",
"refresh_token": "0.A...qSg",
"id_token": "eyJ...LsA"
}
Looking at the id_token we see:
{
"aud": "c74...218",
"iss": "https://7f...bb.ciamlogin.com/7f...bb/v2.0",
"iat": 1712090678,
"nbf": 1712090678,
"exp": 1712094578,
"rh": "0.A...AMQ.",
"sub": "-FX...OI",
"tid": "7fb...3bb",
"uti": "8m6...JAA",
"ver": "2.0"
}
This feature is going to make a lot of people very happy!!!
All good!