This sample application demonstrates a simple application secured with the Microsoft identity platform (Azure AD B2C). It is a React single-page application calling an Node.j web api . Role Based Access Control will be handled via Custom Token Attributes.
In the sample, the dashboard component only allows TaskAdmins to see tasks assigned to any users.
- The SPA Application uses MSAL React to authenticate a user with the Microsoft identity platform.
- The App then obtains an access token from Azure AD on behalf of the authenticated user for the Node.js web api.
- The API uses passport-azure-ad to protect its endpoint and accept only authorized calls.
- An Azure AD B2C tenant.
- A Kuberentes cluster to deploy the application to.
- Federate wtih any Social Identity Provider (SIP) that you wish to support.
- Follow thee to configure fedreation with [Azure AD] (https://docs.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-generic-openid-connect) and GitHub
- Navigate to the Azure portal and select the Azure AD B2C service.
- Select the User Attributes blade on the left.
- Select Add
- Enter Name: TaskAdmin
- Data Type: Boolean
- Description: "This attribute is used to determine if the user is a TaskAdmin"
- Navigate to the Azure portal and select the Azure AD B2C service.
- Select the User Flows blade on the left.
- Select New User Flow
- Select Sign In and Sign Up
- Select Recommended
- Click Create*
- Configure with the following:
- Name: signup_signin_1
- Identity Provider: Email Signup and any Social Identity Provider
- MFA: SMS Only and Off
- Conditional Access: Default
- Collect Attributes: Email Address, Display Name
- Return Claims: Email Address, Display Name, TaskAdmin
- Click Create
- Navigate to the Azure portal and select the Azure AD B2C service.
- Select the User Flows blade on the left.
- Select New User Flow
- Select Password Reset
- Select Recommended
- Click Create*
- Configure with the following:
- Name: password_reset_1
- Local Accounts: Reset password using email address
- MFA: SMS Only and Off
- Conditional Access: Default
- Collect Attributes: Display Name
- Navigate to the Azure portal and select the Azure AD B2C service.
- Select the User Flows blade on the left.
- Select New User Flow
- Select Profile Editing
- Select Recommended
- Click Create*
- Configure with the following:
- Name: edit_profile_1
- Identity Provider: Email Signup and any Social Identity Provider
- MFA: SMS Only and Off
- Conditional Access: Default
- Collect Attributes: City, Country/Region, Display Name, Postal Code, State/Province, Street Address, Task Admin
- Click Create
- Navigate to the Azure portal and select the Azure AD B2C service.
- Select the App Registrations blade on the left, then select New registration.
- In the Register an application page that appears, enter your application's registration information:
- In the Name section, enter the application name: todo-api.
- Under Supported account types, select Accounts in any identity provider or organizational directory (for authenticating users with user flows).
- Select Register to create the application.
- Select Save to save your changes.
- In the app's registration screen, select the Expose an API
- Select
Setnext to the Application ID URI to generate a URI that is unique for this app. - Change the default Application ID URI to https://{tenantName}.onmicrosoft.com/todoapi
- Click on Save.
- Select
- Publish an Application Scope
- Select Add a scope button open the Add a scope screen and Enter the values as indicated below:
- For Scope name, use
access_as_user. - Select Admins and users options for Who can consent?.
- For Admin consent display name type
Access todo-api. - For Admin consent description type
Allows the app to access todo-api as the signed-in user. - For User consent display name type
Access todo-api. - For User consent description type
Allow the application to access todo-api on your behalf. - Keep State as Enabled.
- Select the Add scope button on the bottom to save this scope.
- Navigate to the Azure portal and select the Azure AD service.
- Select the App Registrations blade on the left, then select New registration.
- In the Register an application page that appears, enter your application's registration information:
- In the Name section, enter the application name: todo-spa.
- Under Supported account types, select Accounts in any identity provider or organizational directory (for authenticating users with user flows).
- In the Redirect URI (optional) section, select Single-page application in the combo-box
- Enter the following redirect URI:
http://localhost:3000/.
- Select Register to create the application.
- Select Save to save your changes.
- In the app's registration screen, select the API permissions blade.
- Select the Add a permission button and then,
- Ensure that the My APIs tab is selected.
- In the list of APIs, select the API
todo-api. - In the Delegated permissions section, select the todo-api in the list.
- Select access_as_user permission the Add permissions button at the bottom.
- Click Grant Admin Consent to grant the permission to the app.
- Open the
source\api\authConfig.jsonfile. - Find the key
TenantIdand replace the existing value with your Azure AD B2C tenant name. - Find the key
ClientIdand replace the existing value with the application ID (clientId) of API app.
- Open the
source\spa\authConfig.jsonfile. - Find the key
TenantNameand replace the existing value with your Azure AD B2C tenat name. - Find the key
ClientIDand replace the existing value with the application ID (clientId) of SPA app.
cd source/api
npm install
npm start
cd source/spa
npm install
npm start
TBD
- Profile Edit Handler
- Update readme.md
- Custom Token Attributes for Dashboard RBAC
- Create Dockerfile for api
- Create Dockerfile for ui
- Create GitHub Actions pipeline to build/push docker containers
- Create GitHub Actions pipeline to create infrastructure
- Create Helm Charts for Kubernetes deployment
- Update Flux to deploy to Kubernetes cluster