Azure AD B2C SSO Integration
Overview
APEX uses Azure AD B2C as its identity provider for customer authentication. The system implements OAuth 2.0 and OpenID Connect protocols for secure authentication. This document provides detailed guidance on how to implement SSO with Azure AD B2C in your application.
Important: All Azure AD B2C configuration, tenant setup, and policy management is handled by the APEX team. Contact the APEX team at platform-dev@lightstone.co.za to request Azure configuration changes or to obtain your application's specific credentials.
Configuration Parameters
The Azure AD B2C configuration requires several key parameters that must be defined in your application's configuration. These parameters will be provided by the APEX team.
Parameter Descriptions
-
authority: The Azure AD B2C policy endpoint for sign-up/sign-in. This URL contains the Azure B2C tenant name and the user flow or custom policy to use for signing in.
- Standard value:
"https://login.lightstone.co.za/tfp/lsgb2c.onmicrosoft.com/B2C_1A_SIGNUPORSIGNINV2_TEST/"
- Standard value:
-
passwordReset: The password reset policy endpoint. This URL points to a separate user flow configured for password reset operations.
- Standard value:
"https://login.lightstone.co.za/tfp/lsgb2c.onmicrosoft.com/B2C_1A_PASSWORDRESETV2_TEST/"
- Standard value:
-
clientId: The application client ID registered in Azure AD B2C. This identifier is provided by the APEX team after they register your application in the Azure portal.
-
redirectUrl: The application redirect URL after successful authentication. Provide this URL to the APEX team to ensure it matches exactly what's registered in the Azure portal for your application.
-
logoutRedirectUrl: The URL to redirect to after logout. Provide this URL to the APEX team so they can configure Azure AD B2C to redirect users to this URL when they sign out.
-
scopes: The API permissions required by the application:
- Standard values:
["openid", "profile"]
- If your application needs access to specific APIs, discuss additional scopes with the APEX team
- Standard values:
-
knownAuthorities: The list of trusted authority domains for authentication. Only these domains will be considered valid token issuers.
- Standard values:
["lsgb2c.b2clogin.com", "login.lightstone.co.za"]
- Standard values:
Implementation Guide
1. Application Registration
The APEX team will handle all Azure AD B2C tenant creation and application registration processes. To get your application registered:
- Contact the APEX team with the following information:
- Your application name and description
- Application type ("Web app / API" or "Single-page application")
- Redirect URLs for authentication
- Required API permissions and scopes
- Any custom user attributes needed
The APEX team will provide you with the necessary clientId and other configuration parameters after registration.
2. User Flow Configuration
The APEX team manages all user flow configurations in Azure AD B2C, including:
- Sign-up and sign-in: Combined flow that allows users to create new accounts or sign in
- Password reset: Flow that handles the password recovery process
- Profile editing: Optional flow that allows users to modify their profile information
If you need customizations to these flows, contact the APEX team with your specific requirements.
3. Client-Side Implementation
Implement the MSAL.js library in your application using the configuration provided by the APEX team:
import { PublicClientApplication } from "@azure/msal-browser";
const msalConfig = {
auth: {
clientId: "your-client-id", // Use the client ID provided by the APEX team
authority: "https://login.lightstone.co.za/tfp/lsgb2c.onmicrosoft.com/B2C_1A_SIGNUPORSIGNINV2_TEST/",
knownAuthorities: ["lsgb2c.b2clogin.com", "login.lightstone.co.za"],
redirectUri: "https://your-app.com/auth-redirect", // Your application's redirect URL
postLogoutRedirectUri: "https://your-app.com/logout-redirect" // Your application's logout redirect URL
},
cache: {
cacheLocation: "sessionStorage"
}
};
const msalInstance = new PublicClientApplication(msalConfig);
4. Authentication Flows
Sign-in
const loginRequest = {
scopes: ["openid", "profile"]
};
msalInstance.loginRedirect(loginRequest)
.catch(error => {
// Handle login errors
if (error.errorMessage.includes("AADB2C90118")) {
// Password reset error code - redirect to reset flow
msalInstance.loginRedirect({
authority: "https://login.lightstone.co.za/tfp/lsgb2c.onmicrosoft.com/B2C_1A_PASSWORDRESETV2_TEST/"
});
}
});
Token Acquisition
msalInstance.acquireTokenSilent(loginRequest)
.then(response => {
// Use the access token in the response to call your API
const accessToken = response.accessToken;
})
.catch(error => {
// Handle token acquisition errors
if (error instanceof InteractionRequiredAuthError) {
msalInstance.acquireTokenRedirect(loginRequest);
}
});
Sign-out
msalInstance.logout({
postLogoutRedirectUri: msalConfig.auth.postLogoutRedirectUri
});
Security Best Practices
- Token Validation: Always validate tokens on your server before granting access
- Secure Storage: Store tokens securely and never in local storage
- HTTPS Only: Ensure all communication happens over HTTPS
- State Parameter: Use state parameters to prevent CSRF attacks
- Scopes: Request only the scopes your application needs
Troubleshooting
Common issues and solutions:
Issue | Solution |
---|---|
CORS errors | Contact the APEX team to ensure your app's domain is registered in the Azure portal |
Invalid redirect URI | Ensure redirect URIs match what you provided to the APEX team |
Token expired | Implement proper token refresh logic |
Silent token acquisition fails | Fall back to interactive authentication |
Configuration changes needed | Contact the APEX team for any Azure AD B2C configuration changes |
Reference
- MSAL.js Documentation
- OpenID Connect Specifications
- Contact APEX Support for Azure AD B2C configuration assistance