Microsoft Azure AD B2C
Authsignal provides a simple integration with Azure AD B2C, via the Open ID Connect (OIDC) flow/technical profile, using Azure AD B2C custom policies in the identity experience framework to orchestrate the customer journeys in order to provide passwordless and adaptive MFA user journeys.
This document outlines the technical profiles for the key APIs for the Open ID Connect flow, as well as other utility APIs to allow greater functionality in your user journeys.
Authsignal - Technical profiles
OIDC Connect Technical profile
Main Authsignal Connect technical profile
<TechnicalProfile Id="REST-Authsignal-Connect-API">
<DisplayName>Authsignal Connect API</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="SendClaimsIn">Body</Item>
<Item Key="AuthenticationType">Basic</Item>
<Item Key="AllowInsecureAuthInProduction">false</Item>
<Item Key="ResolveJsonPathsInJsonTokens">true</Item>
<Item Key="ClaimUsedForRequestPayload">requestBody</Item>
<Item Key="DefaultUserMessageIfRequestFailed">Cannot process your request right now, please try again later.</Item>
</Metadata>
<CryptographicKeys>
<Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_AuthsignalTenantAPISecret" />
<Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_AuthsignalTenantAPISecret" />
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="requestBody" />
</InputClaims>
</TechnicalProfile>
The POST init-auth
call as documented in the OIDC Flow documentation is a prerequisite before federating the flows to Authsignal via the OIDC technical profile.
Claims Transformation
The InputParameter
is the Authsignal action name. This is crucial as it gives context to the tracked actions. You may give actions any name provided that they give context: for example, signUp
, signIn
, changeEmail
.
Refer to the POST /init-auth
documentation for the full list of available inputs.
<ClaimsTransformation Id="authsignalInitAuthRequestBody" TransformationMethod="GenerateJson">
<InputClaims>
<InputClaim ClaimTypeReferenceId="objectId" TransformationClaimType="userId" />
<InputClaim ClaimTypeReferenceId="appScope" TransformationClaimType="scope" />
<InputClaim ClaimTypeReferenceId="ClientId" TransformationClaimType="appId" />
</InputClaims>
<InputParameters>
<InputParameter Id="action" DataType="string" Value="signin" />
<InputParameter Id="redirectToSettings" DataType="boolean" Value="false" />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="requestBody" TransformationClaimType="outputClaim" />
</OutputClaims>
</ClaimsTransformation>
Initialize Auth technical profile
<TechnicalProfile Id="authsignalOidcInitAuth">
<DisplayName></DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl">https://AUTHSIGNAL_CONNECT_HOSTNAME/init-auth</Item>
</Metadata>
<InputClaimsTransformations>
<InputClaimsTransformation ReferenceId="authsignalInitAuthRequestBody" />
</InputClaimsTransformations>
<InputClaims>
<InputClaim ClaimTypeReferenceId="requestBody" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="bearerToken" PartnerClaimType="token" />
</OutputClaims>
<IncludeTechnicalProfile ReferenceId="REST-Authsignal-Connect-API" />
</TechnicalProfile>
OIDC Technical profile
For a full list of available claims, view the Open ID connect access token exchange documentation.
<TechnicalProfile Id="authsignalOidcInitAuth">
<DisplayName>authsignal</DisplayName>
<Protocol Name="OpenIdConnect" />
<Metadata>
<Item Key="METADATA">https://AUTHSIGNAL_CONNECT_HOSTNAME/oidc/.well-known/openid-configuration</Item>
<Item Key="client_id">INSERT_AUTHSIGNAL_TENANT_ID</Item>
<Item Key="authorization_endpoint">https://AUTHSIGNAL_CONNECT_HOSTNAME/oidc/auth</Item>
<Item Key="AccessTokenEndpoint">https://AUTHSIGNAL_CONNECT_HOSTNAME/oidc/token</Item>
<Item Key="response_types">code</Item>
<Item Key="scope">openid</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="token_endpoint_auth_method">client_secret_post</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>
<Item Key="ResolveJsonPathsInJsonTokens">true</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_AuthsignalTenantAPISecret" />
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="bearerToken" PartnerClaimType="token" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="actionCode" PartnerClaimType="action_code" />
<OutputClaim ClaimTypeReferenceId="actionState" PartnerClaimType="action_state" />
</OutputClaims>
</TechnicalProfile>
</TechnicalProfiles>
Authsignal utility API calls - Technical Profiles
Authsignal has a core server API documented here. Due to Azure AD B2C technical profiles not being able to construct purely RESTful URLs, we've created convenience proxy end points to map to our key APIs. These API calls extend on the above Authsignal Connect API technical profile
Get user
This API call maps to our Retrieve user API call, and returns an isEnrolled
attribute indicating if the user has at least 1 authenticator enrolled.
<ClaimsTransformation Id="authsignalGetUserRequestBody" TransformationMethod="GenerateJson">
<InputClaims>
<InputClaim ClaimTypeReferenceId="objectId" TransformationClaimType="userId" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="requestBody" TransformationClaimType="outputClaim" />
</OutputClaims>
</ClaimsTransformation>
<TechnicalProfile Id="authsignalGetUser">
<DisplayName></DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl">https://AUTHSIGNAL_CONNECT_HOSTNAME/user</Item>
</Metadata>
<InputClaimsTransformations>
<InputClaimsTransformation ReferenceId="authsignalGetUserRequestBody" />
</InputClaimsTransformations>
<InputClaims>
<InputClaim ClaimTypeReferenceId="requestBody" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="isEnrolled" PartnerClaimType="isEnrolled" />
</OutputClaims>
<IncludeTechnicalProfile ReferenceId="REST-Authsignal-Connect-API" />
</TechnicalProfile>
- cURL
curl --location --request POST 'https://AUTHSIGNAL_CONNECT_HOSTNAME/user' \
--header 'Authorization: Basic TENANT_API_SECRET_KEY' \
--header 'Content-Type: application/json' \
--data-raw '{
"userId": "123456"
}'
Request
userIdstring
The unique ID for this user in your database.
Response
isEnrolledboolean
Whether or not the user is enrolled with at least one authentication method and can be challenged.
allowedVerificationMethodsstring[]
An array of the allowed verification methods.
enrolledVerificationMethodsstring[]
An array of the user's enrolled authenticators.
emailstring
The user's email address.
phoneNumberstring
The user's phone number.
{
"isEnrolled": true
}