This is a tiny website written in node.js and you need to have node and npm installed. Instructions for installing can be found here.
The node.js app is based on the examples in this github repo and it was selected as it is not using any Microsft libraries and therefor serves as an example that it is possible to migrate to B2C if the webapp uses open standards for its authentication.
To get the website up and running, you need to do the following
- Install node and npm
- Open a command prompt in the website folder and run
npm installto install the website dependancies - Edit file start-website-aws.cmd or start-website-aws.ps1
- CLIENT_ID = from the AWS Console under General settings > App clients (not the *Ropc app)
- CLIENT_SECRET = from the AWS Console under General settings > App clients (not the *Ropc app)
- AUTH_DOMAIN = from the AWS Console under App integration > Domain name (copy everything from https:// to .com)
- SCOPES = AppScopes/demo.read under App integration > App client settings (copy everything from https:// to .com)
- Start the website by the command
start-website-aws.cmdorstart-website-aws.ps1
Open your browser and navigate to http://localhost:3000/ and click Login with AWS Cognito. You will be redirected to AWS Cognito's login page and the first time you signin with an imported user you will be required to change the password. If you successful authenticate, you will be presented with a page with links to view your tokens with jwt.ms. Remember that you have a session going in your browser and subsequent login attempts will bypass the AWS Cognito login page and give you the token directly
To migrate users, you should continue here
When you have migrated the users, it is time to modify the webapp to use B2C as its Identity Provider.
In Azure portal and in the B2C tenant.
- Goto App Registrations blade and select + New registration
- Give the app a name (B2C migration testapp) and specify
http:localhost:3000/callbackfor the Redirect URI, Register - Edit file start-website-b2c.cmd and/or start-website-b2c.ps1
- B2C_TENANT=yourtenant (without.onmicrosoft.com)
- CLIENT_ID=Application (client) ID from the portal
- CLIENT_SECRET=create a key in Certificates & secrets in the portal. (Remember to escape characters as needed)
- Start the website by the command
start-website-b2c.cmdorstart-website-b2c.ps1
You can script the App Registration if you like by running the following commands.
.\connect-azureadb2c.ps1 -t yourtenant.onmicrosoft.com # interactive login using your Azure AD credentials
.\new-azureadb2c-appreg.ps1 -n "B2C-migration-website-name" -w $False -r @("http://localhost:3000/callback")
Getting Tenant info...
yourtenant.onmicrosoft.com
Creating App...
ObjectID: ab...cd
ClientID: ef...gh
Secret: de...8RCw=
Adding RequiredResourceAccess...
Creating ServicePrincipal...The script new-azureadb2c.ps1 sets two environment variables, named web_client_id and web_client_secret that you can use to edit the start files start-website.b2c.*.
Notice that we don't change to a Microsoft library, like MSAL, and that we are still using simple-oauth which knows nothing about Azure AD B2C.
Open your browser and navigate to http://localhost:3000/ and click Login with Azure AD B2C. You will be redirected to B2C's Custom Policy signin page and the first time you signin, the policy will check with AWS Cognito, via your Azure Function, and it AWS says thumbs up on the authentication, the Custom Policy will complete the migration via setting the password in the B2C tenant. If the phoneNumberVerified attribute is True, the phone number will be updated as the verified MFA number. You can see that MFA has been migrated by viewing the "Phone" attribute under Authentication methods
You can see the migration in action if you open the Logs / Console window on the Azure Function.
If you type the wrong password, you will get an error message saying Could not verify migrated user in old system. This comes from the Azure Function code and is only there to show that AWS rejected the password. In a real world case you would have a more neutral error message.