The OAuth2 specifications define six different grant types (https://tools.ietf.org/html/rfc6749 and https://tools.ietf.org/html/draft-ietf-oauth-device-flow-15). Each provides the most optimal (from the security point of view) way of obtaining access or (for OIDC) id_tokens given the circumstances of the client application. This blog summarizes the questions that the implementer of the OAuth2 client application needs to ask and how […]
Category Archives: B2C
Using Groups in Azure AD B2C
Out-of-the-box AAD B2C does not expose any functionality related to Security Groups. They exist as an entity type and can be accessed via the regular Azure AD portal blade but there are no features for including user group membership in a token issued as a result of a user flow. To use groups you will […]
Federation patterns using Azure AD
Objectives This post considers scenarios where an application needs to be accessed by users from many sources of authentication. (Office 365, owned and operated by Microsoft but whose use is managed separately by many independent organizations is an example of such a resource). It proposes a framework for determining an optimal solution for the application […]
Multi-tenant apps and Azure AD
MR: Nov 21st, 2019: I have modified my sample to use security groups in B2C to simulate application tenants and moved all functionality from a custom database to IEF policies. The new sample app’s source is available on GitHub. This is a follow up to my previous blog re multi-tenant applications using B2C. Here I […]