The following sample guides you through integrating Azure AD B2C authentication with Twilio Verify API to enable your organization to meet PSD2 SCA requirements.
This sample uses the Twilio Verify API to achieve this.
You can see a live version of PSD2 SCA in action by following below:
- Visit this Sample Live Version Website.
- Click Sign up / Sign in
- Complete your sign up.
- Click Send Money.
- Enter a Payee Name, Account Number, and Amount, click Continue.
- You are sent to the B2C logon page where your authentication is stepped up with Twilio Verify API.
- Once completed, and arrived back to the application, click Confirm to complete the transaction.
- Complete the Azure AD B2C Get Started with Custom Policies.
- Be familiar with the
id_token_hint
usage, which is demonstrated in this id_token_hint sample. - Be familiar with the display controls usage, which is demonstrated in this display controls sample.
- Obtain a Twilio trial account.
- Purchase a Phone number at Twilio.
- Navigate to Verify API at the Twilio console, create a service and enable the PSD2 option.
For the step up authentication policy to work, the Azure AD B2C user must already exist in the directory with a Phone Number registered. For the purposes of this demo, this can be achieved by signing up a user through a User Flow with MFA enabled.
You can pre-enrol users into the directory with known verified Phone Numbers by using the Microsoft Graph API.
-
You can automate the pre requisites by visiting the setup tool if you already have an Azure AD B2C tenant. Some policies can be deployed directly through this app via the Experimental menu.
-
You will require to create an Azure AD B2C directory.
-
To use the sample policies in this repo, follow the instructions here to setup your AAD B2C environment for Custom Policies.
-
For any custom policy sample which makes use of Extension attributes, follow the guidance on storing the extension properties and adding the application objectID. The
AAD-Common
Technical profile will always need to be modified to use yourApplicationId
andObjectId
.
- You only require the Step Up policy file to initialize a Step Up authentication.
- The id token hint must be sent with the authentication request containing the
amount
andpayee
. This is parsed in theIdTokenHint_ExtractClaims
technical profile. - The policy relies on a existing logon session to access the current authenticated users phone number. This claim name must be persistent across the policy files, and the session management technical profiles.
- The Single Sign On state will skip all step until Orchestration Step 5, where the Twilio Verify API is invoked.
- At this step, the
Custom-SMS-Verify
self asserted technical profile is executed. - The
inputClaimsTransformation
takes the Phone Number from the session claim and converts it to a read only state. - The Display Control
phoneVerificationControl-ReadOnly
calls the Twilio Verify API to initiate and verify the OTP requests. - The REST API technical profile
TwilioRestAPI-Verify-Step1
models the Twilio Verify API REST API request to generate and send a PSD2 compliant SMS, (see Send a Verification Token). - The REST API technical profile
TwilioRestAPI-Verify-Step2
models the Twilio Verify API REST API request to verify the entered OTP, (see Check the Verification Token). - Since the Twilio API returns a HTTP 200 with a status of the OTP verification in the JSON Body, Azure AD B2C needs to check the JSON payload for the
valid
OTP status. To do this, the REST API Technical Profile invokes anoutputClaimsTransform
to assert that the value ofstatus
is "approved".
<!-- Capture the "status" value from the JSON response. Set a comparison
claim with a static value (dummyStatus) for the known good value-->
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="dummyStatus" DefaultValue="approved" />
<OutputClaim ClaimTypeReferenceId="status"/>
</OutputClaims>
<!-- Initiate a claims transform to compare Status with DummyStatus-->
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="AssertOTPisApproved"/>
</OutputClaimsTransformations>
<!-- Compare Status with DummyStatus-->
<ClaimsTransformation Id="AssertOTPisApproved" TransformationMethod="AssertStringClaimsAreEqual">
<InputClaims>
<InputClaim ClaimTypeReferenceId="status" TransformationClaimType="inputClaim1" />
<InputClaim ClaimTypeReferenceId="dummyStatus" TransformationClaimType="inputClaim2" />
</InputClaims>
<InputParameters>
<InputParameter Id="stringComparison" DataType="string" Value="ordinalIgnoreCase" />
</InputParameters>
</ClaimsTransformation>
In the Custom-SMS-Verify
technical profile add the metadata item to provide an error when the Claims Transform comparison does not return True.
<Item Key="UserMessageIfClaimsTransformationStringsAreNotEqual">Incorrect verification code. Try again.</Item>
For the Phone Number to travel in the session across policies, configure the SM-AAD
in all policies to maintain the phone number claim:
<TechnicalProfile Id="SM-AAD">
<DisplayName>Session Mananagement Provider</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.DefaultSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<PersistedClaims>
<PersistedClaim ClaimTypeReferenceId="phoneNumberString" />
</PersistedClaims>
</TechnicalProfile>
The claim name (phoneNumberString
) needs to be consistent across all policies.
- Open the
B2C-WebAPI-DotNet
solution and replace the following values with your own tenant specific values in the web.config:
<add key="ida:Tenant" value="yourtenant.onmicrosoft.com" />
<add key="ida:TenantId" value="d6f33888-0000-4c1f-9b50-1590f171fc70" />
<add key="ida:ClientId" value="6bd98cc8-0000-446a-a05e-b5716ef2651b" />
<add key="ida:ClientSecret" value="secret" />
<add key="ida:AadInstance" value="https://yourtenant.b2clogin.com/tfp/{0}/{1}" />
<add key="ida:RedirectUri" value="https://your hosted psd2 demo app url/" />
- The Web App also hosts the id token hint generator and metadata endpoint
- Create your signing certificate as shown here
- Update the following lines with respect to your certificate in the web.config:
<add key="ida:SigningCertThumbprint" value="4F39D6014818082CBB763E5BA5F230E545212E89" />
<add key="ida:SigningCertAlgorithm" value="RS256" /> <!-- leave as-is-->
- Upload the demo application to your hosting provider of choice - Guidance for Azure App Services to upload your certificate.
- Update your Azure AD B2C application registration by adding a Reply URL equivalent to the URL at which the application is hosted at.
- Open the policy files and replace all instances of
yourtenant
with your tenant name. For a tenant such as "contoso.onmicrosoft.com", replace all instances ofyourtenant
withcontoso
. - Find the Twilio REST API technical profile
Custom-SMS-Enrol
and update theServiceURL
with your Twilio AccountSID and theFrom
number to your purchased phone number. - Find the Twilio REST API technical profiles,
TwilioRestAPI-Verify-Step1
andTwilioRestAPI-Verify-Step2
, and update theServiceURL
with your Twilio AccountSID. - Go to the Azure AD B2C Blade at the Azure Portal and click Identity Experience Framework. Click Policy Keys.
- Add a new Key, name it
B2cRestTwilioClientId
. Selectmanual
, and provide the value of the Twilio Account SID. - Add a new Key, name it
B2cRestTwilioClientSecret
. Selectmanual
, and provide the value of the Twilio AUTH TOKEN. - Upload all the policy files to your tenant.
- Customize the string in the
GenerateOTPMessageEnrol
claims transform for your Sign Up SMS text. - Browse to your application and test the Sign In/Up and Send Money action.
Use Stack Overflow to get support from the community. Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before. Make sure that your questions or comments are tagged with [azure-ad-b2c]. If you find a bug in the sample, please raise the issue on GitHub Issues. To provide product feedback, visit the Azure Active Directory B2C Feedback page.
This sample policy is based on SocialAndLocalAccounts starter pack. All changes are marked with Sample: comment inside the policy XML files. Make the necessary changes in the Sample action required sections.