Set up Microsoft Azure Active Directory B2C

Introduction

Microsoft Azure Active Directory B2C provides “business-to-customer identity as a service”. A separate service from Azure Active Directory, Azure AD B2C is a customer identity access management platform that provides authentication and single-sign-on for applications for your customers or users. If your customer information is already stored within Azure AD B2C, it is straightforward to turn those customer information attributes into Verifiable Credentials. 

Prerequisites

You need the following in order to proceed with this tutorial: 

You can follow this tutorial to learn more about using the OIDC bridge with the MATTR Platform. If you’re experiencing any difficulties, contact us

Setting up Microsoft Azure AD B2C 

The steps for setting up Microsoft Azure AD B2C are listed below:

  • First, create an Azure Active Directory B2C tenant.

  • Next, register a web application in Azure Active Directory B2C. Take note of your Application (Client) ID, and client secret as they will be required later.

  • Create user flows and custom policies in Azure Active Directory B2C. These are the experiences your users and customers have when authenticating with your application including registering, signing in, and modifying their information. User flows are also where user attributes are defined, including creating custom attributes.  

    • Press the Manage user attributes button. On the User attributes page, press the + Add button. Add an attribute called Certificate Name with String data type, and description "Educational Credential Awarded".

https://www.datocms-assets.com/38428/1659310048-2022-08-01_11-04-58.png?auto=format

Sending an Authentication Request to Azure AD B2C

Send an authentication request to Azure AD B2C by opening the following in your browser.  

http
Copy to clipboard.
1https://{domainname}.b2clogin.com/{domainname}.onmicrosoft.com/{userflow}/oauth2/v2.0/authorize? 
2client_id={clientid} 
3&nonce=anyRandomValuec 
4&redirect_uri=https://jwt.ms 
5&scope=openid 
6&response_type=code 

Where {domainname} is the domain name of your Azure AD B2C instance, {userflow} is the User flow for sign-in, {clientid} is listed for your App under App registrations. Leave nonce, redirect_uri, scope, and response_type. After signing in, you should be returned to a page like: 

https://www.datocms-assets.com/38428/1659314046-2022-08-01_12-33-33.png?auto=format

Take the URL of the page, which contains a code:  https://jwt.ms/?code=eyJraWQiOiJjcGltY[...] 

Request an Azure AD B2C Access Token 

Send a POST to

http
Copy to clipboard.
1https://{domainname}.b2clogin.com/{ domainname}.onmicrosoft.com/{userflow}/oauth2/v2.0/token

 with the following attributes as x-www-form-urlencoded

https://www.datocms-assets.com/38428/1659314534-2022-08-01_12-41-42.png?auto=format

client_id is listed for your App under App registrations,

client_secret is listed for your App under App registrations > Certificates & secrets and is configured in the tutorial,

grant_type is set to authorization_code,

scope is set to openid,

code is the code value contained in the URL of the previous step https://jwt.ms/?code=eyJraWQiOiJjcGltY[...],

redirect_uri is set to https://jwt.ms ,

The result should be an id_token. It can be decoded by pasting it into https://jwt.ms without the quotes around it. The built-in attribute set in the user flow such as jobTitle and the custom attribute extension_CertificateName, will be mapped to Verifiable Credentials. 

Create an OIDC Credential Issuer 

Follow the tutorial with the following changes specific for Azure AD B2C: 

Under federatedProvider, use: 

json
Copy to clipboard.
1"url": "https:// {domainname}.b2clogin.com/{domainname}.onmicrosoft.com/{userflow}/v2.0" 

It is important to add the v2.0 at the end of the Verifiable Credential cannot be created.  

For claimMappings, use: 

json
Copy to clipboard.
1"claimMappings": [ 
2        { 
3            "oidcClaim": "name"4            "jsonLdTerm": "name" 
5             
6        }, 
7        { 
8            "oidcClaim": "jobTitle"9            "jsonLdTerm": "jobTitle" 
10             
11        }, 
12        { 
13            "oidcClaim": "extension_CertificateName"14            "jsonLdTerm": "educationalCredentialAwarded" 
15             
16        } 
17]

The jsonLdTerm must match an rdfs:label contained within https://schema.org/version/latest/schemaorg-current-https.jsonld

 The response contains the id of the OIDC Credential Issuer within the MATTR Platform.  

Take the federatedProvider's callbackUrl from the response, and copy it as another Redirect URIs to your web application in Azure AD B2C.  To do this: go to portal.azure.com, open your web application -> Authentication -> Redirect URIs -> Add URI.

Try it out

Follow the tutorial to generate a QR Code and scan the QR Code using the MATTR Wallet app. Authenticate using a username and password with Azure AD B2C, and you should be offered a Verifiable Credential.