Skip to content

How to call Azure Active Directory B2C

sample App demonstrates the usage of Azure B2C in a Angular SPA:
But the best an surely up to date information you get directly at the Azure Active Directory B2C documentation

User flows

We support the following flows. To support different appearance of the UI we created different flows for each partner and you will get your customized flow.

purpose name remark
sign up - sign in B2C_1A_signup_signin 1 flow for login and register as a new guest.
Usually to only one you need to work with.
sign in B2C_1A_signin A flow which provides only login but no sign-up.
reset password B2C_1A_PasswordReset Reset the password in case the user registered with username/password.
This is offered inside the sign-in process so you do not need to place it explicitely.
edit profile - We decided to skip this. Because it would work only for registered users and to change profile data for users "as a guest" (without login) would have been different. Therefore all profile data can/must be edited using our profile service

To call it you need the

  • flow name (see above)
  • client-Id (you get when we register your application)
  • redirect url (we can register several for the application, so you must choose one of the registered ones)
  • (optional) partnerAcronym: If you specify the partnerAcronym then your logo will be loaded. You need to provide it us.

example url{flow-name}&client_id={clientId}&nonce=defaultNonce&redirect_uri={redirect-url}&scope=openid&response_type=id_token&prompt=login

UI customization

On the topbar on the left side your logo can be placed. You need to provide us the logo. Based on the partnerAcronym query parameter the logo will be selected.


GET{sign up-sign in flow name}/oauth2/v2.0//logout?post_logout_redirect_uri={redirect-url}

With calling the logout from Azure B2C the client gets logged out on the Identity provider. If you do not call this, the user is automatically logged in again when the sign-in flow is called before the session on Azure B2C times out. Therefore to allow to switch users you must call the logout on your application logout.

more information: Send a sign-out request


Available languages and default language can be configured for each user flow independently. In Azure AD B2C are many languages configured already and we can just activate them. Missing languages can be added and text can be changed.

  • de
  • en
  • fr
  • it

How the language is determined

  • ui_locales query paramter: If the query option ui_locales the language can be specified e.g. "ui_locales=de"
  • Browser-requested language: If no ui_locales parameter was specified, your user flow is translated to the browser-requested language, if the language is supported.
  • Policy default language: If the browser doesn't specify a language, or it specifies one that is not supported, the user flow is translated to the user flow default language.

Attributes / user data

We only collect few information on the sign up process. We do have the possibility to collect different information in each partner's sign up process

  • Email address
  • Given name
  • Surname
  • Displayname (nickname)

Supported Identity Providers

  • username / password
  • Microsoft
  • Google
  • Apple ID
  • Facebook (not setup yet)
  • almost any identity provider is possible - leave a request with us

Verification of Authorization tokens

In case you need to verify the token when accessing your own API (authorization):

Server side

The authorization token is a standard JWT and validation can be done with all JWT libraries. Important to know is that the used keys change regularly. There are libraries from Microsoft and the handling of the key is already built in.

This article is helpful (see Validation): Overview of tokens in Azure Active Directory B2C

And this is the url to get the keys:
(where the name of the flow - p - should be the one you use to authenticate)

The JSON document located at this URL contains all the public key information in use at a particular moment. Your app can use the kid claim in the JWT header to select the public key in the JSON document that is used to sign a particular token. It can then perform signature validation by using the correct public key and the indicated algorithm.

Here you can download all links and resources (including the one above).

Last update: September 23, 2020 08:58:46