skip to Main Content

I want Azure AD B2C to call e.g. a webhook or REST API on my backend once a new user signed up (user flow as of now, custom policy later on).

How is that possible? I especially need the object ID of the user to be transferred to my backend immediately after the registration. I had a look at the API connectors, but they are only for e.g. validation. There is no API connector for informing about a finished registration. Contrary to the docs an object ID is not sent on "Before creating the user", so I also can’t use that for my case.

2

Answers


  1. As per this answer, the API is triggered before the user is created so there is no objectID yet.

    You have to use custom policies. This allows you to control the order of when the API is called.

    Login or Signup to reply.
  2. The user object id can only be sent after the user was created on the Active Directory, since if the user doesn’t exist, there is no ID that could be sent.

    If you’re using built-in flows, you can use API Connectors at the "Before sending the token (preview)" step, so your backend will be notified before the token is sent to the user. However, this will also trigger the request on every login or refresh token request, which may not be desirable. To address this, you can enable the "New User" claim for the generated tokens and check if the claim is present in the request sent to your backend.

    As mentioned in other answers, if you need more control over the registration process, you can use Custom Policies to define your own registration workflow and send the objectId using a Technical Profile like this:

    <TechnicalProfile Id="REST-Call">
      <DisplayName>Notify backend about user registration</DisplayName>
      <!-- https://learn.microsoft.com/en-us/azure/active-directory-b2c/restful-technical-profile -->
      <Protocol Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" Name="Proprietary"/>
      <Metadata>
        <Item Key="ServiceUrl">https://xxx.azurewebsites.net/api/UserRegistered</Item>
        <Item Key="AuthenticationType">ClientCertificate</Item>
        <Item Key="SendClaimsIn">Body</Item>
        <Item Key="DefaultUserMessageIfRequestFailed">Cannot process your request right now, please try again later.</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="ClientCertificate" StorageReferenceId="B2C_1_BackendClientCertificate"/>
      </CryptographicKeys>
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="objectId"/>
        <!-- https://learn.microsoft.com/en-us/azure/active-directory-b2c/claim-resolver-overview#restful-technical-profile -->
        <InputClaim ClaimTypeReferenceId="clientId" DefaultValue="{OIDC:ClientId}" AlwaysUseDefaultValue="true" />
      </InputClaims>
    </TechnicalProfile>
    

    And then use the orchestration steps to call the technical profile.

    If you need help setting up the Custom Policies starter pack, you can use this application to generate the boilerplate: https://b2ciefsetupapp.azurewebsites.net/ or check its repository to get the scripts: https://github.com/azure-ad-b2c/Scripts

    If you’re willing to use your existing backend, you may want to check this repository to see how to integrate the API Connector with an existing WebApp and add user security groups from the directory using Microsoft Graph: https://github.com/azure-ad-b2c/api-connector-samples. However, it seems that the repository is using an outdated version of Microsoft.Graph Nuget (4.48.0 and the current version is 5.6.0) and some changes may be necessary.

    You may also want to check out these samples to set up your API Connector REST API with Azure Functions: https://learn.microsoft.com/en-us/azure/active-directory-b2c/api-connector-samples.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search