[Feature request] Docs On How to set up AAD B2C

[akarray]

Hello,
AAD B2C seem to be supported but they is no documentation about how to configure it.
This documentation can save a lot of time.
Can some one add steps for B2C configuration ?

Thank you

[davidhuser]

Also interested in this doc.

A starting point would be to follow Azure docs that shows how to use B2C with MSAL and Flask, then adapt it to use B2CMultiTenantAuthorizationCodeBearer as for example used in this repo.

Is there anything else to keep in mind?

[JonasKs]

I'd say follow the single-tenant steps I've already documented. MSAL works a bit different.

If you document your steps you can post them here and we can either base the documentation on them, or help you debug.

[davidhuser]

out of curiosity, what is the benefit of using the fastapi-azure-auth library for B2C over using the the "official" MSAL implementation, e.g. here? Is it the targeted implementation for FastAPI?

[JonasKs]

[..] what is the benefit of using the fastapi-azure-auth [...]

There are four things a FastAPI backend developer cares about when implementing Azure AD:

• Async fetching of openid config, ensuring app don't halt when you refresh config
• Dependency support, so it feels natural to the framework
• Token is validated correctly
• OpenAPI/swagger documentation works, since the user can sign in

As for the official MSAL implementation, I believe it is sync and does not implement any FastAPI framework-specific features such as swagger authentication out of the box by using the dependency. 😊

[vjmadhal-silverstream]

Having been through this over the last few days, I found the demo project pretty useful. However, using the B2CMultiTenantAuthorizationCodeBearer I fell foul of invalid issuer. But the docs explain how to implement the issuer verification using the callable. Only problem is that the tid claim isn't available in the B2C token so validating issuer will fail as tid is None, followed by tid not being optional for User (the linked fix already addresses that). Finally, the last hurdle is when validate_iss is true, iss_callable is provided and multi tenant is true (which it is for the B2CMultiTenantAuthorizationCodeBearer) then there's a failure trying to obtain claims.get('tid').
I'll wait on the PR first to see, but the docs are pretty helpful

[akarray]

Having been through this over the last few days, I found the demo project pretty useful. However, using the B2CMultiTenantAuthorizationCodeBearer I fell foul of invalid issuer. But the docs explain how to implement the issuer verification using the callable. Only problem is that the tid claim isn't available in the B2C token so validating issuer will fail as tid is None, followed by tid not being optional for User (the linked fix already addresses that). Finally, the last hurdle is when validate_iss is true, iss_callable is provided and multi tenant is true (which it is for the B2CMultiTenantAuthorizationCodeBearer) then there's a failure trying to obtain claims.get('tid'). I'll wait on the PR first to see, but the docs are pretty helpful

Thank you @vjmadhal-silverstream for your return. There is a nice community using fastapi-azure-auth. PR seem coming very soon. I'm exited to see this feature available.

[davidhuser]

This is now implemented, refer to the docs 👍

[JonasKs]

Thanks again @davidhuser 😊

[akarray]

Hello @davidhuser
Thank's for this great contribution. I had tried exactly all steps in documentation without success

I get this error :
Auth ErrorError: Bad Request, error: invalid_grant, description: AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation.
And sometimes this error :
Error: Bad Request, error: invalid_request, description: AADB2C90182: The supplied code_verifier does not match associated code_challenge

The screen I see seem not exacty as yours :

And I don't get Consent to the permissions requested screen like yours

You can find here details about token request :

POST
https://xxxx.b2clogin.com/xxxx.onmicrosoft.com/B2C_1_sign_up_sign_in/oauth2/v2.0/token
Payload :
grant_type: authorization_code
code: eyJra.....
client_id: xxxxxx
redirect_uri: http://localhost:7072/oauth2-redirect
code_verifier: xxxxx

And this is the response of the server :
{
"error": "invalid_grant",
"error_description": "AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation.\r\nCorrelation ID: xxxxxx\r\nTimestamp: 2023-09-19 07:11:40Z\r\n"
}

Any idea ?

Thank you
Best Regards

[davidhuser]

Hi, make sure the redirect_uri matches to your local FastAPI URL (localhost:3000 in the docs vs localhost:7072 in what you provided in the comment above) and try to Grant Admin consent.

And I don't get Consent to the permissions requested screen like yours

this is due to reusing existing screenshots of SingleTenant or MultiTenant docs. Could maybe be removed.