Here we demonstrate how to integrate Azure AD B2C as an Identity Management Service into the PlayFab login process.
This sample includes a .NET core MVC project that uses B2C as an Authentication service, uses the ID token retrieved to login in PlayFab through the LoginWithOpenIDConnect API endpoint, that allows login a user with an ID token expedited by an Identity Provider that comply with Open ID Connect standard.
Besides that, the sample stores the SessionTicket returned by PlayFab in a successful login and uses it to update - with the claims returned in the ID Token - and get the user data, to show how to store and use the session ticket to consume the PlayFab API on behalf the user.
In this document, we are going to explain the steps required to configure the MVC application and PlayFab to make work the login process.
If you are new to Azure AD B2C or custom policies, we recommend reading the following Microsoft documentation:
- What is Azure Active Directory B2C?
- Custom policies in Azure Active Directory B2C
- Get started with custom policies in Azure Active Directory B2C.
This diagram explains the flow of the Sign In / Sign Up integrating Azure AD B2C as the Identity Management Service with PlayFab.
First, you have to have a policy, which can be a user flow or custom policy where the user will enter his credentials.
If you don't have anyone yet, you can follow one of these documents:
- Tutorial: Create user flows in Azure Active Directory B2C
- Get started with custom policies in Azure Active Directory B2C
To just run this sample, we recommend using a user flow, which is the simplest option.
NOTE: This sample can be used with a user flows as a custom policy.
Once you have the B2C resources created, you have to retrieve the endpoint of the Open ID Connect metadata document from the application that you created during the policy creation.
For that, you have to refer to your Azure B2C in the portal and retrieved as is shown below.
Then, you have to replace the <policy-name> placeholder with the name of your policy, for instance, if your policy has the name b2c_1_susi in this case the URL is https://b2cplayfab.b2clogin.com/b2cplayfab.onmicrosoft.com/b2c_1_susi/v2.0/.well-known/openid-configuration.
Go to that URL, from there you can retrieve the rest of the endpoints and data needed to create the Open ID Connection. You will see a document that starts with the following structure:
{
"issuer": "https://b2cplayfab.b2clogin.com/55bf5ec7-5226-4673-ae31-bfd3c9abdf0a/v2.0/",
"authorization_endpoint": "https://b2cplayfab.b2clogin.com/b2cplayfab.onmicrosoft.com/b2c_1_susi/oauth2/v2.0/authorize",
"token_endpoint": "https://b2cplayfab.b2clogin.com/b2cplayfab.onmicrosoft.com/b2c_1_susi/oauth2/v2.0/token",
"end_session_endpoint": "https://b2cplayfab.b2clogin.com/b2cplayfab.onmicrosoft.com/b2c_1_susi/oauth2/v2.0/logout",
"jwks_uri": "https://b2cplayfab.b2clogin.com/b2cplayfab.onmicrosoft.com/b2c_1_susi/discovery/v2.0/keys",
// rest of document
}From this document, we use:
-
The
issuer. -
The
authorization_endpoint: TheIssuerInformation.AuthorizationUrlin the Open ID Connection at PlayFab. -
The
token_endpoint: TheIssuerInformation.TokenUrlin the Open ID Connection at PlayFab. -
The
jwks_uri: We go to the URL specified and from there we extract the values that correspond toIssuerInformation.JsonWebKeySet.keys. In that document is like the following:{ "keys": [ { "kid": "", "nbf": 00001111, "use": "sig", "kty": "RSA", "e": "", "n": "" } ] }
With these endpoints and data, we create the Open ID Connection using the PlayFab API endpoint CreateOpenIdConnection with the following request.
POST /Admin/CreateOpenIdConnection HTTP/1.1
Host: <your title ID>.playfabapi.com
Content-Type: application/json
X-SecretKey: <the secret key>
{
"ConnectionId": "<Identifier that you are assiging to the connection>",
"ClientId": "<client ID of the B2C application>",
"ClientSecret": "<client secret for the B2C application>",
"DiscoverConfiguration": true,
"IssuerInformation": {
"Issuer": <issuer>,
"AuthorizationUrl": "<Authorization URL>",
"TokenUrl": "<Token URL>",
"JsonWebKeySet": {
<keys>
}
}
}The Title ID and Secret Key can be retrieved from the PlayFab Game Manager, meanwhile, the ClientId can be retrieved from the overview section in the application view of the Azure portal and the ClientSecret during the application creation.
To configure the MVC project you have to update the appsettings.json file with some of the data used before.
{
"AzureAdB2C": {
"Instance": "<instance>",
"ClientId": "<client ID>",
"CallbackPath": "/signin-oidc",
"Domain": "<domain>",
"SignUpSignInPolicyId": "<sign in\up policy ID>"
},
"PlayFab": {
"TitleId": "<title ID>",
"ConnectionId": "<connection ID>"
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft": "Warning",
"Microsoft.Hosting.Lifetime": "Information"
}
},
"AllowedHosts": "*"
}With these changes, you can run the sample.
Instead of creating the connection through the Game Manager, we have chosen the API option because currently, the game manager accepts only the URL of the Open ID Connect metadata document, and from there takes the issuer.
This issuer consists of an URL, which is used by PlayFab to build the URL of the metadata document to retrieved on each login process. It generates an issue because Azure doesn't use the issue as part of the metadata document URL. Hence, we had to specify manually the issuer information, such as the TokenUrl. Currently, this feature is only available through the API.
To login in PlayFab using the ID token retrieved from Azure B2C, we configure the later as the authentication layer in the Startup class. Then we configure the scheme AzureADB2COpenID. There, we set a handler to the OnTokenValidated event, where we get the ID token from the context and use it to request the login through the LoginWithOpenIDConnect endpoint.
After that, we store the Session Ticket returned by PlayFab as an AuthenticationProperties of the new login, in this way we can retrieve in the next request that needs it.