问题
I want to integrate Multi Factor Authentication (MFA) through Azure Active Directory (AD) B2C in my website built in PHP only for authentication purpose,
I checked its documentation and some code samples, I have created following things from its tutorial which mentioned here https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant
- Azure AD B2C tenant
- Register a web application (reply URL is
https://jwt.ms) - Create a sign-up and sign-in user flow / password reset user flow
I tested sign-up/sign-in user flow and password reset user flow by URL provided from Azure Portal with heading Run user flow end point ►, and its working perfect as expected, and on successful response I got a JWT token, which contains information like this:
But I am not sure that what I have planned is correct according to standard,
My planning is like this - I will give an option in user profile section to enable/disable MFA, So if an user enables MFA, then on next login, after successful authentication (through email and password stored in database), user will be redirected to a MFA page, On MFA page there are 2 buttons, Sign up/Sign in and Forgot Password,
Sign up/Sign in - this button have link created by "Sign up and Sign in" user flow at Azure AD B2C - User flows (policies),
Forgot Password - this button have link created by "Password reset" user flow at Azure AD B2C - User flows (policies), - I need to added this because, the Forgot Password link in Sign up/Sign in not working as intended, It will redirected on Reply Url, with some information and a message like this
AADB2C90118: The user has forgotten their password
In both user flows I enabled MFA, So on successful MFA, I will redirect user to dashboard in my website, Otherwise user will remain on MFA page,
I explained my planning, please suggest me, if am I doing something wrong in Sign up/Sign in or Forgot Password flow? Or if I can make it better,
For decode JWT token in PHP, I am breaking it on
.and usingbase64_decode()to extract data, Is it good to decode it manually? Also please let me know how can I validate it?
Any help or suggestions will helpful for me,
Thanks in advance,
回答1:
1. I explained my planning, please suggest me, if am I doing something wrong in Sign up/Sign in or Forgot Password flow? Or if I can make it better
Seems you are on a right way, But if you want you could add some custom set of rules on your password to make it more secure and reliable. B2C provides many rules there. You can find all Password enforcement rule here.
2. For decode JWT token in PHP, I am breaking it on . and using base64_decode() to extract data, Is it good to decode it manually? Also please let me know how can I validate it?
Breaking JWT token using base64 is alright. You can check it manually but its good practice to handle it in program. There are may thread already been solved regarding token validation so I am referring among those which you can easily implement. Check here how would you validate Jwt token also check this
Note For manual decode you could validate https://jwt.io/ here you can get many algorithm together.
You can Try
Having look on your case I also suggest you to take a look on B2C self-service password reset option which also popular among the developer so far I know. You can try it out in result it will reduce many of your overhead and let you handle the scenario without taking more hassle.
Note : Please have look on referred document for token validation you would get some good idea how you can validate your token
回答2:
The way Password reset flow works is a bit different. In case when user clicks on reset password link, AADB2C redirects to the relying party service (main service) with a specific error code (AADB2C90118). The Relying Party Service should then invoke the reset password policy flow.
The code sample link to catch the error and then redirect to reset password handler
For decoding JWT token, there should be existing libraries, would recommend to use them.
来源:https://stackoverflow.com/questions/55626201/azure-active-directory-b2c-user-flows-policies-for-signin-signup-and-passwor