Microsoft Azure AD B2C

Authsignal provides a simple integration with Azure AD B2C, via the Open ID Connect (OIDC) flow/technical profile, using Azure AD B2C custom policies in the identity experience framework to orchestrate the customer journeys in order to provide passwordless and adaptive MFA user journeys.

This document outlines the technical profiles for the key APIs for the Open ID Connect flow, as well as other utility APIs to allow greater functionality in your user journeys.

Authsignal - Technical profiles

OIDC Connect Technical profile

Main Authsignal Connect technical profile

<TechnicalProfile Id="REST-Authsignal-Connect-API">
    <DisplayName>Authsignal Connect API</DisplayName>
    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    <Metadata>
        <Item Key="SendClaimsIn">Body</Item>
        <Item Key="AuthenticationType">Basic</Item>
        <Item Key="AllowInsecureAuthInProduction">false</Item>
        <Item Key="ResolveJsonPathsInJsonTokens">true</Item>
        <Item Key="ClaimUsedForRequestPayload">requestBody</Item>
        <Item Key="DefaultUserMessageIfRequestFailed">Cannot process your request right now, please try again later.</Item>
    </Metadata>
    <CryptographicKeys>
        <Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_AuthsignalTenantAPISecret" />
        <Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_AuthsignalTenantAPISecret" />
    </CryptographicKeys>
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="requestBody" />
    </InputClaims>
</TechnicalProfile>

The POST init-auth call as documented in the OIDC Flow documentation is a prerequisite before federating the flows to Authsignal via the OIDC technical profile.

Claims Transformation

The InputParameter is the Authsignal action name. This is crucial as it gives context to the tracked actions. You may give actions any name provided that they give context: for example, signUp, signIn, changeEmail.

Refer to the POST /init-auth documentation for the full list of available inputs.

<ClaimsTransformation Id="authsignalInitAuthRequestBody" TransformationMethod="GenerateJson">
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="objectId" TransformationClaimType="userId" />
        <InputClaim ClaimTypeReferenceId="appScope" TransformationClaimType="scope" />
        <InputClaim ClaimTypeReferenceId="ClientId" TransformationClaimType="appId" />
    </InputClaims>
    <InputParameters>
        <InputParameter Id="action" DataType="string" Value="signin" />
        <InputParameter Id="redirectToSettings" DataType="boolean" Value="false" />
    </InputParameters>
    <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="requestBody" TransformationClaimType="outputClaim" />
    </OutputClaims>
</ClaimsTransformation>

Initialize Auth technical profile

<TechnicalProfile Id="authsignalOidcInitAuth">
    <DisplayName></DisplayName>
    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    <Metadata>
        <Item Key="ServiceUrl">https://AUTHSIGNAL_CONNECT_HOSTNAME/init-auth</Item>
    </Metadata>
    <InputClaimsTransformations>
        <InputClaimsTransformation ReferenceId="authsignalInitAuthRequestBody" />
    </InputClaimsTransformations>
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="requestBody" />
    </InputClaims>
    <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="bearerToken" PartnerClaimType="token" />
    </OutputClaims>
    <IncludeTechnicalProfile ReferenceId="REST-Authsignal-Connect-API" />
</TechnicalProfile>

OIDC Technical profile

For a full list of available claims, view the Open ID connect access token exchange documentation.

<TechnicalProfile Id="authsignalOidcInitAuth">
    <DisplayName>authsignal</DisplayName>
    <Protocol Name="OpenIdConnect" />
    <Metadata>
        <Item Key="METADATA">https://AUTHSIGNAL_CONNECT_HOSTNAME/oidc/.well-known/openid-configuration</Item>
        <Item Key="client_id">INSERT_AUTHSIGNAL_TENANT_ID</Item>
        <Item Key="authorization_endpoint">https://AUTHSIGNAL_CONNECT_HOSTNAME/oidc/auth</Item>
        <Item Key="AccessTokenEndpoint">https://AUTHSIGNAL_CONNECT_HOSTNAME/oidc/token</Item>
        <Item Key="response_types">code</Item>
        <Item Key="scope">openid</Item>
        <Item Key="HttpBinding">POST</Item>
        <Item Key="response_mode">form_post</Item>
        <Item Key="token_endpoint_auth_method">client_secret_post</Item>
        <Item Key="UsePolicyInRedirectUri">false</Item>
        <Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>
        <Item Key="ResolveJsonPathsInJsonTokens">true</Item>
    </Metadata>
    <CryptographicKeys>
        <Key Id="client_secret" StorageReferenceId="B2C_1A_AuthsignalTenantAPISecret" />
    </CryptographicKeys>
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="bearerToken" PartnerClaimType="token" />
    </InputClaims>
    <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="actionCode" PartnerClaimType="action_code" />
        <OutputClaim ClaimTypeReferenceId="actionState" PartnerClaimType="action_state" />
    </OutputClaims>
    </TechnicalProfile>
</TechnicalProfiles>

Authsignal utility API calls - Technical Profiles

Authsignal has a core server API documented here. Due to Azure AD B2C technical profiles not being able to construct purely RESTful URLs, we've created convenience proxy end points to map to our key APIs. These API calls extend on the above Authsignal Connect API technical profile

Get user

This API call maps to our Retrieve user API call, and returns an isEnrolled attribute indicating if the user has at least 1 authenticator enrolled.

<ClaimsTransformation Id="authsignalGetUserRequestBody" TransformationMethod="GenerateJson">
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="objectId" TransformationClaimType="userId" />
    </InputClaims>
    <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="requestBody" TransformationClaimType="outputClaim" />
    </OutputClaims>
</ClaimsTransformation>

<TechnicalProfile Id="authsignalGetUser">
    <DisplayName></DisplayName>
    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    <Metadata>
        <Item Key="ServiceUrl">https://AUTHSIGNAL_CONNECT_HOSTNAME/user</Item>
    </Metadata>
    <InputClaimsTransformations>
        <InputClaimsTransformation ReferenceId="authsignalGetUserRequestBody" />
    </InputClaimsTransformations>
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="requestBody" />
    </InputClaims>
    <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="isEnrolled" PartnerClaimType="isEnrolled" />
    </OutputClaims>
    <IncludeTechnicalProfile ReferenceId="REST-Authsignal-Connect-API" />
</TechnicalProfile>

cURL

curl --location --request POST 'https://AUTHSIGNAL_CONNECT_HOSTNAME/user' \
        --header 'Authorization: Basic TENANT_API_SECRET_KEY' \
        --header 'Content-Type: application/json' \
        --data-raw '{
            "userId": "123456"
        }'

Request

• userIdstring

  The unique ID for this user in your database.

Response

• isEnrolledboolean

  Whether or not the user is enrolled with at least one authentication method and can be challenged.

• allowedVerificationMethodsstring[]

  An array of the allowed verification methods.

• enrolledVerificationMethodsstring[]

  An array of the user's enrolled authenticators.

• emailstring

  The user's email address.

• phoneNumberstring

  The user's phone number.

POST /user

{
  "isEnrolled": true
}