Skip to content

Azure
(24.5 h)

To learn

How to call Microsoft Graph API in B2C app
(+3 h)

April, 2024

Custom Policy
(+10.5 h)

April, 2024

  • Register a single-page application in Azure Active Directory B2C

    OAuth 2.0 Authorization code flow (with PKCE) allows the application to exchange an authorization code for ID tokens to represent the authenticated user and Access tokens needed to call protected APIs. In addition, it returns Refresh tokens that provide long-term access to resources on behalf of users without requiring interaction with those users.

    The implicit grant flow allows the application to get ID and Access tokens. Unlike the authorization code flow, implicit grant flow doesn't return a Refresh token.

  • Tutorial: Create user flows and custom policies in Azure Active Directory B2C

    1. Create signing key and encryption key under Identity Experience Framework - Policy Keys.
    2. Register two applications that it uses to sign up and sign in users with local accounts: IdentityExperienceFramework, a web API, and ProxyIdentityExperienceFramework, a native app with delegated permission to the IdentityExperienceFramework app.
    3. Download policy starter pack and update values of yourtenant, IdentityExperienceFrameworkAppId, and ProxyIdentityExperienceFrameworkAppId.
    4. Upload policy files in correct order.
    5. Test with B2C_1A_signup_signin. Unfortunately, I got an error: b2c login error The problem is that I should have used files inside /Display Controls Starterpack, instead of files under the root.
  • Write your first Azure Active Directory B2C custom policy - Hello World!

    xml
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <TrustFrameworkPolicy
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
        xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
        PolicySchemaVersion="0.3.0.0"
        TenantId="yourtenant.onmicrosoft.com"
        PolicyId="B2C_1A_ContosoCustomPolicy"
        PublicPolicyUri="http://yourtenant.onmicrosoft.com/B2C_1A_ContosoCustomPolicy">
    
      <BuildingBlocks>
        <ClaimsSchema>
          <ClaimType>
            <!-- To declare a claim. A claim is like a variable. The claim's declaration also shows the claim's data type. -->
          </ClaimType>
        </ClaimsSchema>
      </BuildingBlocks>
    
      <ClaimsProviders>
        <!-- Claims Providers Here-->
      </ClaimsProviders>
    
      <UserJourneys>
        <!-- The user journey specifies the business logic the end user goes through as Azure AD B2C processes a request. -->
      </UserJourneys>
    
      <RelyingParty>
          <!--
              Relying Party Here that's your policy’s entry point
              Specify the User Journey to execute
              Specify the claims to include in the token that is returned when the policy runs
          -->
      </RelyingParty>
    </TrustFrameworkPolicy>
  • Set up a password reset flow in Azure Active Directory B2C

    Prerequisites: the B2C Users need to have an authentication method specified for self-service password reset. Select the B2C User, in the left menu under Manage, select Authentication methods, ensure Authentication contact info is set. B2C users created via a SignUp flow will have this set by default. For users created via Azure Portal or by Graph API need to have this set for SSPR to work.

  • Azure AD B2C Webinar Series: Custom Policies Part 1 - YouTube

    • User Flow is just built-in policy.
    • Claims are just variables.
    • Technical Profiles are just functions.

custom-policy (My understanding of custom policy.)

But I hit a problem that i don't have the permission to connect graph by scope domain.readwrite.all, but Find-MgGraphPermission tells me i have the admin. That's weird. To try: Connect-MgGraph -ClientId <YOUR_NEW_APP_ID> -TenantId <YOUR_TENANT_ID>. if it's not working, switch to free trial.

MSAL React
(+2 h)
(In progress)

April, 2024

  • Tutorial: MSAL React

    • redirectUri should be configured in Azure Portal application authentication. Be careful choose single-page application for type.
    • All parts of the app that require authentication must be wrapped in the MsalProvider component.
    • useMsal hook can give us an instance, and we can do loginPopup, loginRedirect, logoutPopup, and logoutRedirect with it. We can also call instance.acquireTokenSilent to get the tokens (access_token, id_token, client_info, refresh_token, etc), and use access_token to call Microsoft API (e.g Graph API).
    • useIsAuthenticated hook gives us a boolean value whether or not a user is currently signed-in.
  • msal-react/docs/getting-started.md:

    • Components AuthenticatedTemplate and UnauthenticatedTemplate can do the same thing as useIsAuthenticated hook does.
    • Components MsalAuthenticationTemplate and useMsalAuthentication hook can do the same thing as instance does.
    • Besides of instance, useMsal gives us accounts for an array of all accounts currently signed in, and an inProgress that tells you what msal is currently doing.
    • They recommend that the app calls the acquireTokenSilent API on the PublicClientApplication object each time you need an access token to access an API.

Q: what's the difference between various tokens?

This version of the library uses the OAuth 2.0 Authorization Code Flow with PKCE. To read more about this protocol, as well as the differences between implicit flow and authorization code flow, see the section in the @azure/msal-browser readme.

MSAL Common
(+3.5 h)

March, 2024

MSAL Node
(+2 h)

March, 2024

Learning materials

msal-node

  • What's the difference between Confidential and Public clients? - OAuth in Five Minutes - YouTube

    Client = Application

    Resource Owner = User

    Confidential Clients can keep a secret, and Public Clients can't. Simply put, Confidential Clients are server-side applications (written in Node, Java, etc.), while Public Clients are client-side applications (written in JavaScript, etc).

    PKCE (Proof Key for Code Exchange) is an extension to OAuth developed specifically for doing OAuth in Public Clients.

  • What's the relationship between tenant, subscription, and resource group?

    Azure hierarchy

To be continued

Initializing the PublicClientApplication object

Question: how to verify token when requesting

Microsoft identity JavaScript NodeJS tutorial
(+2 h)

March 20, 2024

Azure-Samples/ms-identity-javascript-nodejs-tutorial: A chapterwise tutorial that will take you through the fundamentals of modern authentication with the Microsoft identity platform in Node.js using MSAL Node

Getting started with Azure
(+2 h)

March, 2024

  • Identify cloud services

    • Infrastructure as a Service (IaaS): Just bare computers (without operating systems). Azure Virtual Machines is IaaS.
    • Platform as a Service (PaaS): Hosted platform in the cloud. Not only infrastructure, but also specialized software from the cloud provider, like operating systems. Azure App Service is PaaS.
    • Software as a Service (SaaS): software or service hosted in the cloud, e.g. Outlook, Gmail, Netflix, etc
  • Azure geographies and regions

    Countries + Compliance = Geographies

    Geographies + Datacenters = regions

    3D visualized datacenter: https://bit.ly/gsma-datacenter

    E.g. West US is a region, and US is a geography

  • Azure Resource Manager (ARM)

    ARM uses templates to deploy Azure resources. No matter how you interact with Azure or manage your resources, ARM is always going to be doing the work under the hood.

    I guess ARM template is like netlify.toml which is used by Netlify to deploy your application.

  • Azure Blob Storage

    • Storing unstructured data
    • Organized in containers
    • Blob is a file-like object of immutable, raw data.
    • Tiers: hot, cool, and archive

Released under the CC BY-NC-SA 4.0 License.