Some notion about authentication and authorization with Azure B2C

In this article we're going to talk about Azure B2C, a cloud identity service that allows developers to customize and control the authentication and authorization process of our applications.

Gustavo Barragán 2024-06-08T23:29:03.000+00:00
Some notion about authentication and authorization with Azure B2C

What is Azure B2C?

Azure B2C is an identity service that offers services for both authentication and authorization. It is what is known in the computing world as CIAM (Customer Identity and Access Management), a cloud identity service that allows developers to customize and control the authentication and authorization process of their applications. These Identity and Access services allow us to free ourselves from the responsibility of implementing and maintaining an authentication and authorization system, allowing us to focus on the development of our applications.

Difference between Authorization and Authentication

Although in the development world we usually use an 'auth' variable to refer to both concepts, it is important to understand that they are two different things. On the one hand, authentication is the process of verifying that a user is who they say they are, and on the other hand, authorization is the process of verifying that a user has permissions to perform an action. So in a real system we can understand the authentication process as the process that tells us who a user is, but this does not mean that they will have access to resources, for that we need the authorization process that It is the one that will tell us if the user has permissions to perform an action.

HTTP authentication and authorization errors

When you start playing with APIs, you may encounter HTTP authentication and authorization errors, these errors are very common and it is important that you understand them not only to solve them but to understand what they refer to in each use case.

401 Unauthorized

This error refers to the fact that the user is not Authenticated, the user has not been verified as who they say they are, so they do not have access to the resources.

403 Forbidden

This error refers to the fact that the user does not have permissions or is not Authorized to access the resource, this can be because the client does not have the necessary permissions or because the resource is not available to the client.

Using B2C only for authentication

Usually in my projects I use external services like Azure B2C in this case only for the authentication part, to free myself from the responsibility of implementing and maintaining an authentication system, but I keep control of the authorization within my app to free myself from the arduous work that is controlling access permissions to resources from a third party.

The Azure B2C Tenant

The Azure B2C Tenant is the workspace that contains all the configurations and customizations of the Azure B2C instance. It is the workspace that contains all the configurations, subscriptions and customizations of the Azure B2C instance.

Features of Azure B2C

Azure B2C has several features that make it a relatively interesting service for the authentication layer of our applications, here I will only mention some of the most outstanding and although it is a world of possibilities I think this is the most relevant.

OAuth and OpenID Connect Protocols

When we use Azure B2C for authentication, we use two authentication protocols, OAuth and OpenID Connect. These protocols are what allow us to authenticate users and obtain information about them.

External identity providers

Azure B2C allows us to use external identity providers such as Google, Facebook, Twitter, LinkedIn, Amazon, WeChat, QQ, Weibo, Microsoft, Apple, and any identity provider that supports OpenID Connect. This allows users to authenticate with their accounts from these providers and greatly facilitates access to the resources of our service as it provides an additional layer of security that is the entire registration and data validation process that these services have already done on the user.

Custom login screens

One of the most interesting features of Azure B2C is the ability to customize the login screens, this allows us to make the authentication experience more user-friendly and adapt to the visual identity of our application. Unlike using only an OAuth provider, which redirects us to the provider's login page, with Azure B2C we can customize the authentication experience so that the user does not feel that they are leaving our application. although I must say that the process of customizing these screens is a bit tedious and requires knowledge of HTML and CSS.

Role management from B2C

Although I usually use these services only for the authentication layer, it is possible to manage roles from B2C, this allows users to have predefined roles and for these roles to be used to control access to resources in our application.

Microsoft Entra External Identity

We must also point out that not even Microsoft is very happy with the current state of Azure B2C and they are working on a new tool called Microsoft Entra External Identity that promises to be a more complete and easier to use solution than Azure B2C. More information about Microsoft Entra External Identity{:target="_blank"}

User policies and authentication strategies

More details about custom policies in this medium article{:target="_blank"}

Conclusion and why I write this post?

If you think this post is a kind of recommendation to extol the virtues of AzureB2C, well, no, hehehe, I'm not really a fan of Microsoft's Cloud products, but for work reasons I've had to use them and I'm in the process of internalizing the knowledge I've acquired, so this post is more of a series of personal notes that I've decided to share with the community.