B2c and JWT for authentication

Ask the community
1

Hello Community!

I’m wondering if there is a way to use B2C to authenticate someone and save the JWT payload it sends to further authenticate towards a database. In this case i’m wondering if there is a way to decrypt the jwt or does that have to be done maunally.

Also if i have multiple apis and i want the user secret and pass secret to change based on the user when calling the database. Is this possible?

Regards
Haider

2

Hi!

Yes, it is. B2C to be used for authentication is pretty straight forward, and with a few more settings, you can also save the access token (received in the signed JWT together with email, user name and other claims)

First:
Add B2C as Custom Auth Provider if not already done.

Then:
The login should send a signed JWT back containing an Access Token. So, you need somewhere to save that. Appfarm comes with this feature built-in when you add a Secret. As described here, you should add a Secret with Secret Type OAuth 2 Value, and and OAuth value set to Access Token (if it’s not working, try ID Token instead).
The new secret should look like this:

image
image790×439 20.1 KB

With this setup, the value of this secret should be stored “per user”, and when e.g. a user triggers a web request (towards) using this secret as authentication, the access token of that user will be used.

3

Thank you very much! I have already created the secret to store the claims, but where do i add that secret to get the claims is my question? maybe i’m asking a bit confusing here

4

Hi!

Not sure if I misunderstood. But, if you have that Secret stored (similar to my previous screenshot) and User A logs in with B2C, the Secret B2C Access Token is set to automatically upon login. This secret can hold 1 value for each user, so if user B logs in the same time, value is different for user B.

For authenticating towards some resource in Azure using the (personal) access token: Use the Web Request with “Bearer” authentication towards the resource that the user have access to, and select the secret B2C Access Token as Bearer Token. When User A executes the web request, then User A’s access token is used. And similar for User B.

5

So if i understand correctly! it gets populated without being referenced anywhere?

6

Yes, that is correct!

I have not set up B2C myself, but I know other have managed this.

7

Hello @kristian

Is there a way we can expose the secret so we can see what we are getting in the jwt and test things out? I would like to see what i’m getting from the B2C.

8

Hi,

I believe you could do the following for debug this:

  1. Create a Service “Debug token service” etc. Inside it, just have an action with “Log to console”, logging out the secret value
  2. An App with a button etc with an action with action node Run Service running the Debug token service

Then

  1. Open Devtools for Services, locate the Debug token service, and click “Enable capture”.
  2. Log in and open the App in another tab, and click the button. Now, since you are logged in as a user and performing a “Run Service” as yourself, the secret that is logged should be your access token.