Skip to content

Azure Active Directory B2C

Jump to bottom
Jan Hajek edited this page May 30, 2016 · 1 revision

You can also now very simply make use of Azure Active Directory B2C.

The easiest way is demonstrated below:

$provider = new TheNetworg\OAuth2\Client\Provider\Azure([
    'metadata' => 'https://login.microsoftonline.com/b2ctenant.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=policy_id',
    ...other configuration
]);
// Then you proceed as usual with generating the URL etc.

Notice how we set the policy in the metadata? This is because if we want to make use of the authorization_code flow. This kind of limits the ability to use the library with multiple policies - for each policy, you need to instantiate a separate provider. While this is possible, it can be quite hard to implement, and will be probably a subject to change in future release.

Second option is to make use of response_mode=form_post with response_type=id_token. This method eliminates the need for a call to the authorization endpoint and gives us the id_token straight away. Take a look at the following example:

$provider = new TheNetworg\OAuth2\Client\Provider\Azure([
    'metadata' => 'https://login.microsoftonline.com/b2ctenant.onmicrosoft.com/v2.0/.well-known/openid-configuration',
    'responseType' => 'id_token',
    'responseMode' => 'form_post',
    ...other configuration
]);

if(isset($_SESSION['OAuth2.token'])) {
    $token = $_SESSION['OAuth2.token'];
}
if(!isset($token)) {
    if (!isset($_POST['id_token'])) {
        $authUrl = $provider->getAuthorizationUrl([
            'scope' => 'openid',
            'p' => 'policy_id'
        ]);
        $_SESSION['oauth2state'] = $provider->getState();
        header('Location: '.$authUrl);
        exit;
    } else {
        // Transform the $_POST body into token.
        $token = $provider->createToken($_POST);
        $_SESSION['OAuth2.token'] = $token;
        // Now the user is authenticated through Azure AD B2C
    }
}

When using Azure Active Directory B2C, you won't get an access_token at the moment. If you would like to use it to protect an API, you will have to use the signed id_token to make calls to your API:

$response = $provider->get("https://your_api_resource/something", $token);
Clone this wiki locally