jitB2C

Azure AD B2C Custom POlicies for signing in with Verifiable Credentials

In order to use the Verifiable Credentials with Azure AD B2C, you need to deploy the following:

1. Deploy the sample issuer and verifier located in the vc folder
2. Create an Azure Storage Account and deploy the custom html that B2C uses (explained here)
3. Deploy an Azure AD B2C instance and setting up B2C Identity Experience Framework (explained here)
4. Modify and upload the B2C Custom Policies in this github repo

Deploy the custom html

• Create an Azure Storage Account and CORS enable it for your B2C tenant, as explained here. You should perform step 2 through 3.1. Note that you can select LRS for Replication as RA-GRS is a bit overkill.
• Edit the selfAsserted.html file and replace the url reference var apiUrl = "https://yourappname.azurewebsites.net"; with the url for your verifier deployment. If you are using ngrok, this url will look something like https://901dc458579f.ngrok.io. If you are using Azure App Services, it will look something like https://yourappname.azurewebsites.net
• Edit both selfAsserted.html and unified.html and replace https://your-storage-account.blob.core.windows.net/your-container/ with the name of your storage account and container.
• Edit selfAsserted.html and change the link to the issuer sample in the html element Don't have a digital membership card?. It should point to your deployed VC sample issuer. Again, this would either point to your ngrok process for the issuer or to your Azure App Service deployment of the sample issuer.
• If you want a different background and logo images, change the img html elements in selfAsserted.html and unified.html.
• Upload the files background and logo images, selfAsserted.html, unified.html to the container in the Azure Storage.
• Copy the full url to the files and test that you can access them in a browser. If it fails, the B2C UX will not work either.

Deploy an Azure AD B2C instance

You need an B2C tenant instance for this sample to work. The current B2C price model is free for 50K MAU per month, so the deployment will not cost anything. How to deploy a B2C tenant is explained in the documentation here. You should follow that documentation and stop when you come to section "Custom policy starter pack". You do not need to complete the Facebook part, but you should create a face Policy Key named FacebookSecret with a fake value like abc123.

Modify and upload the B2C Custom Policies

The XML files in the policies folder are the B2C Custom Policies. These files are in a generic state and need to be updated to match your tenant. Therefor, the following needs to be done:

• Search-and-replace all references to yourtenant.onmicrosoft.com with your real tenant name, for example contosob2c.onmicrosof.com, in all policy xml files.
• Search-and-replace all references to yourstorageaccount.blob.core.windows.net with your real storage account in file TrustFrameworkExtensions.xml. Make sure the path matches to the full path of each uploaded html document in previous section.
• Find the login-NonInteractive TechnicalProfile in the TrustFrameworkExtensions.xml file and replace the guids for the IdentityExperienceFramework and ProxyIdentityExperienceFramework applications. You need to replace it with the AppIDs (client_id's) from the registered applications in your B2C tenant. Please note that there are 2+2 places you need to update!
• Find the ServiceUrl for the VC Verifier deployed and update it.
• Possibly add your AppInsights InstrumentationKey in the Sign*.xml files so you can get trace events when the B2C policy engine executes your policy. If you don't want to use AppInsights, comment that line out.
• Upload the policies in order: TrustFrameworkBase.xml, TrustFrameworkExtensions.xml and then the rest in no particular order.

Registering a Test Application in your B2C tenant

You should have created a test application during the "Custom Policy Getting Started" section above. If you didn't, follow the documentation here. Make sure you set the Redirect URI type to Web and the redirectUri to https://jwt.ms as it makes testing B2C policies easy.

Testing your Azure AD B2C Verifiable Credentials deployment

1. Create a B2C account
   1. Click on the B2C_1A_VC_susi policy in the portal, select your test app and run the policy and https://jwt.ms as the reply url.
   2. In the sign in user interface, select Sign up and create an account
2. Issue your self a VC for your B2C account
   1. Again, click on the B2C_1A_VC_susi policy in the portal, select your test app and run the policy and https://jwt.ms as the reply url.
   2. Select the Verifiable Credentials button and then click on the link Don't have a digital membership card? to open the sample VC issuer. Scan the QR code with your Microsoft Authenticator, sign in to your B2C account in the Authenticator and accept the VC card.
3. Try signing in to your B2C account using your VC
   1. Click on the B2C_1A_VC_susi_vc policy in the portal, select your test app and run the policy and https://jwt.ms as the reply
   2. When the QR code comes, scan it with your VC in the Authenticator app on your phone
   3. When you get to the jwt.ms page, notice that the sub claim is the objectId of your B2C user
4. Try signing in using only your VC
   1. Click on the B2C_1A_VC_signin policy in the portal, select your test app and run the policy and https://jwt.ms as the reply
   2. When the QR code comes, scan it with your VC in the Authenticator app on your phone
   3. When you get to the jwt.ms page, notice that the sub claim is not the objectId of your B2C user, but the did from the VC.