Skip to main content

Azure AD B2C SSO Integration

Overview

APEX uses Azure AD B2C as its identity provider for customer authentication. The system implements OAuth 2.0 and OpenID Connect protocols for secure authentication. This document provides detailed guidance on how to implement SSO with Azure AD B2C in your application.

Important: All Azure AD B2C configuration, tenant setup, and policy management is handled by the APEX team. Contact the APEX team at platform-dev@lightstone.co.za to request Azure configuration changes or to obtain your application's specific credentials.

Configuration Parameters

The Azure AD B2C configuration requires several key parameters that must be defined in your application's configuration. These parameters will be provided by the APEX team.

Parameter Descriptions

  • authority: The Azure AD B2C policy endpoint for sign-up/sign-in. This URL contains the Azure B2C tenant name and the user flow or custom policy to use for signing in.

    • Standard value: "https://login.lightstone.co.za/tfp/lsgb2c.onmicrosoft.com/B2C_1A_SIGNUPORSIGNINV2_TEST/"
  • passwordReset: The password reset policy endpoint. This URL points to a separate user flow configured for password reset operations.

    • Standard value: "https://login.lightstone.co.za/tfp/lsgb2c.onmicrosoft.com/B2C_1A_PASSWORDRESETV2_TEST/"
  • clientId: The application client ID registered in Azure AD B2C. This identifier is provided by the APEX team after they register your application in the Azure portal.

  • redirectUrl: The application redirect URL after successful authentication. Provide this URL to the APEX team to ensure it matches exactly what's registered in the Azure portal for your application.

  • logoutRedirectUrl: The URL to redirect to after logout. Provide this URL to the APEX team so they can configure Azure AD B2C to redirect users to this URL when they sign out.

  • scopes: The API permissions required by the application:

    • Standard values: ["openid", "profile"]
    • If your application needs access to specific APIs, discuss additional scopes with the APEX team
  • knownAuthorities: The list of trusted authority domains for authentication. Only these domains will be considered valid token issuers.

    • Standard values: ["lsgb2c.b2clogin.com", "login.lightstone.co.za"]

Implementation Guide

1. Application Registration

The APEX team will handle all Azure AD B2C tenant creation and application registration processes. To get your application registered:

  1. Contact the APEX team with the following information:
    • Your application name and description
    • Application type ("Web app / API" or "Single-page application")
    • Redirect URLs for authentication
    • Required API permissions and scopes
    • Any custom user attributes needed

The APEX team will provide you with the necessary clientId and other configuration parameters after registration.

2. User Flow Configuration

The APEX team manages all user flow configurations in Azure AD B2C, including:

  • Sign-up and sign-in: Combined flow that allows users to create new accounts or sign in
  • Password reset: Flow that handles the password recovery process
  • Profile editing: Optional flow that allows users to modify their profile information

If you need customizations to these flows, contact the APEX team with your specific requirements.

3. Client-Side Implementation

Implement the MSAL.js library in your application using the configuration provided by the APEX team:

import { PublicClientApplication } from "@azure/msal-browser";

const msalConfig = {
auth: {
clientId: "your-client-id", // Use the client ID provided by the APEX team
authority: "https://login.lightstone.co.za/tfp/lsgb2c.onmicrosoft.com/B2C_1A_SIGNUPORSIGNINV2_TEST/",
knownAuthorities: ["lsgb2c.b2clogin.com", "login.lightstone.co.za"],
redirectUri: "https://your-app.com/auth-redirect", // Your application's redirect URL
postLogoutRedirectUri: "https://your-app.com/logout-redirect" // Your application's logout redirect URL
},
cache: {
cacheLocation: "sessionStorage"
}
};

const msalInstance = new PublicClientApplication(msalConfig);

4. Authentication Flows

Sign-in

const loginRequest = {
scopes: ["openid", "profile"]
};

msalInstance.loginRedirect(loginRequest)
.catch(error => {
// Handle login errors
if (error.errorMessage.includes("AADB2C90118")) {
// Password reset error code - redirect to reset flow
msalInstance.loginRedirect({
authority: "https://login.lightstone.co.za/tfp/lsgb2c.onmicrosoft.com/B2C_1A_PASSWORDRESETV2_TEST/"
});
}
});

Token Acquisition

msalInstance.acquireTokenSilent(loginRequest)
.then(response => {
// Use the access token in the response to call your API
const accessToken = response.accessToken;
})
.catch(error => {
// Handle token acquisition errors
if (error instanceof InteractionRequiredAuthError) {
msalInstance.acquireTokenRedirect(loginRequest);
}
});

Sign-out

msalInstance.logout({
postLogoutRedirectUri: msalConfig.auth.postLogoutRedirectUri
});

Security Best Practices

  1. Token Validation: Always validate tokens on your server before granting access
  2. Secure Storage: Store tokens securely and never in local storage
  3. HTTPS Only: Ensure all communication happens over HTTPS
  4. State Parameter: Use state parameters to prevent CSRF attacks
  5. Scopes: Request only the scopes your application needs

Troubleshooting

Common issues and solutions:

IssueSolution
CORS errorsContact the APEX team to ensure your app's domain is registered in the Azure portal
Invalid redirect URIEnsure redirect URIs match what you provided to the APEX team
Token expiredImplement proper token refresh logic
Silent token acquisition failsFall back to interactive authentication
Configuration changes neededContact the APEX team for any Azure AD B2C configuration changes

Reference