Authentication Support with Azure AD with B2C

[jaliyaudagedara]

I couldn't get authentication to work with Azure AD B2C.

Upon looking at the code, we are using IdentityModel in the OAuth2TokenManager.

Unfortunately following line doesn't work with Azure AD B2C. discoveryDocument is going to contain an error.

var discoveryDocument = 
    await this.HttpClient.GetDiscoveryDocumentAsync(oauthProperties.Authority.ToString(), cancellationToken);

The error is, Endpoint belongs to different authority which is getting thrown from IdentityModel library.

And because of that, discoveryDocument.TokenEndpoint is going to be null here.

using var request = new HttpRequestMessage(HttpMethod.Post, new Uri(oauthProperties.Authority, discoveryDocument.TokenEndpoint))
{
    Content = new FormUrlEncodedContent(properties)
};

We can get past that error when using IdentityModel by doing something like below,

DiscoveryDocumentResponse discoveryDocument
    = await httpClient.GetDiscoveryDocumentAsync(new DiscoveryDocumentRequest
    {
        Address = "https://login.microsoftonline.com/<TenantId>/v2.0",
        Policy = new DiscoveryPolicy
        {
            AdditionalEndpointBaseAddresses =
            {
                "https://login.microsoftonline.com/<TenantId>",
		"https://graph.microsoft.com/oidc/userinfo"
            }
        }
    });

But OAuth2TokenManager isn't extendable.

[cdavernas]

We can get past that error when using IdentityModel by doing something like below

Suggested fix is easy enough, but the problem is where to get those additional base addresses from? We could potentially store said addresses in a custom property of the OAuth2AuthenticationProperties metadata to make it work for now.

I think, however, that it would make sense to add it to the ServerlessWorkflow's OAuth2AuthenticationProperties well known and well described properties. Could you take care of opening a new feature request about it on https://github.com/serverlessworkflow/specification?

But OAuth2TokenManager isn't extendable.

It is extendable, no service class is sealed, and all their protected/public methods are virtual. I understand it is not, however, practical to have to rebuild a custom worker just for said use case.

[jaliyaudagedara]

I think, however, that it would make sense to add it to the ServerlessWorkflow's OAuth2AuthenticationProperties well known and well described properties. Could you take care of opening a new feature request about it on

Completely agree, the suggestion was to get it to work, we of course need to come up with a better approach. Will create a feature request in the spec.

It is extendable, no service class is sealed, and all their protected/public methods are virtual. I understand it is not, however, practical to have to rebuild a custom worker just for said use case.

Of course, it's extendable, but then we will have to create a custom worker (as you mentioned) which we shouldn't be doing.

[jaliyaudagedara]

@cdavernas, found another issue:

OAuth2 Properties Definition in Serverless Workflow Specification doesn't follow their OAuth2AuthenticationProperties.

Basically if I specify auth as follows,

"auth": [
    {
        "scheme": "oauth2",
        "name": "authentication-1",
        "properties": {
            "authority": "https://informasoftwaredev.b2clogin.com/informasoftwaredev.onmicrosoft.com/B2C_1A_AD_SIGNUP_SIGNIN/oauth2/v2.0/authorize",
            "grantType": "clientCredentials"
            "audiences": [
                "<audience-1>"
            ],
            "clientId": "<clientId>",
            "clientSecret": "<secret>",
            "scopes": [
                "<scope-1>"
            ]
        }
    }
],

Not all the properties are getting serialized into OAuth2AuthenticationProperties

And even values for OAuth2GrantType, isn't getting serialized.

I had to put auth as follows in order for FE to happy and values to be serialized.

"auth": [
    {
        "scheme": "oauth2",
        "name": "authentication-1",
        "properties": {
            "authority": "<authority>",
            "grant_type": "client_credentials",
            "grantType": "clientCredentials", // just to satisfy the FE
            "audience": "<audience-1>",
            "clientId": "<clientId>",  // just to satisfy the FE
            "client_id": "<clientId>",
            "clientSecret": "<secret>",  // just to satisfy the FE
            "client_secret": "<secret>",
            "scope": "<scope-1>"
        }
    }
],

FE validations are based on: https://github.com/serverlessworkflow/synapse/blob/main/src/dashboard/Synapse.Dashboard/wwwroot/schemas/0.8/auth.json

Another possible bug:

synapse/src/dashboard/Synapse.Dashboard/Features/Workflows/WorkflowEditor/AuthenticationEditor.razor

Line 169 in cba235f

AuthenticationScheme.OAuth2 => new BearerAuthenticationProperties(),

Believe this should be,

[cdavernas]

That well known issue is due to casing, which I did not properly document in SW spec. OAuth2 indeed mandates snake case instead of camel's. As you realized, using snake cased properties does the trick.

Your last comment is I believe correct, this looks like a bug. Strange however we did not face it so far, though we heavily rely on that auth scheme in our use cases

[cdavernas]

Closed as completed by serverlessworkflow/specification#912