Add example for azure b2c OAuth (#1336)

zimmj · web-flow · commit 290353753b1e · 2023-10-24T19:04:25.000-05:00
* Add example for azure b2c OAuth

This example allows to fetch the tokens for a given user from azure B2C.

* Add explanation to B2C example

Add specific explanation to the example on how to create you own tenant to test the script for getting token.
Fixed one issue on the way, as small difference between costume flow and quick user flows.

* Update 03 oauth-authentication.md

Change pull request suggestions
diff --git a/src/data/markdown/docs/05 Examples/01 Examples/03 oauth-authentication.md b/src/data/markdown/docs/05 Examples/01 Examples/03 oauth-authentication.md
@@ -13,6 +13,9 @@ The following examples take a set of arguments, shown in the function documentat
 
 <CodeGroup labels={["azure.js"]} lineNumbers={[true]}>
 
+
+
+
 ```javascript
 import http from 'k6/http';
 
@@ -56,6 +59,204 @@ export function authenticateUsingAzure(tenantId, clientId, clientSecret, scope,
 }
 ```
 
+### Azure B2C
+
+The following example shows how you can authenticate with Azure B2C using the [Client Credentials Flow](https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oauth-code#client-credentials-flow).
+
+This example is based on a JMeter example found at the [azure-ad-b2c/load-tests](https://github.com/azure-ad-b2c/load-tests) repository.
+
+To use this script, you need to:
+
+1. [Set up your own Azure B2C tenant](https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant)
+    * Copy the tenant name, it will be used in your test script.
+2. [Register a web application](https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga)
+    * Register a single page application with the redirect URL of: https://jwt.ms. That's needed for the flow to receive a token.
+    * After the creation, you can get the Application (client) ID, and the Directory (tenant) ID. Copy both of them, they'll be used in your test script.
+3. [Create a user flow so that you can sign up and create a user](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows)
+     * Create a new user, and copy the username and password. They'll be used in the test script.
+
+If you missed copying any of the settings, you can find them in the B2C settings in the Azure portal.
+
+<CodeGroup labels={["azure-b2c.js"]} lineNumbers={[true]}>
+
+```javascript
+import http from "k6/http";
+import crypto from "k6/crypto";
+import { randomString } from "https://jslib.k6.io/k6-utils/1.2.0/index.js";
+
+const B2cGraphSettings = {
+  B2C: {
+    client_id: "", // Application ID in Azure
+    user_flow_name: "",
+    tenant_id: "", // Directory ID in Azure
+    tenant_name: "",
+    scope: "openid",
+    redirect_url: "https://jwt.ms",
+  },
+};
+
+/**
+ * Authenticate using OAuth against Azure B2C
+ * @function
+ * @param  {string} username - Username of the user to authenticate
+ * @param  {string} password
+ * @return {string} id_token
+ */
+export function GetB2cIdToken(username, password) {
+  const state = GetState();
+  SelfAsserted(state, username, password);
+  const code = CombinedSigninAndSignup(state);
+  return GetToken(code, state.codeVerifier);
+}
+
+/**
+ * @typedef {object} b2cStateProperties
+ * @property {string} csrfToken
+ * @property {string} stateProperty
+ * @property {string} codeVerifier
+ *
+ */
+
+/**
+ * Get the id token from Azure B2C
+ * @function
+ * @param {string} code
+ * @returns {string} id_token
+ */
+const GetToken = (code, codeVerifier) => {
+  const url =
+    `https://${B2cGraphSettings.B2C.tenant_name}.b2clogin.com/${B2cGraphSettings.B2C.tenant_id}` +
+    `/oauth2/v2.0/token` +
+    `?p=${B2cGraphSettings.B2C.user_flow_name}` +
+    `&client_id=${B2cGraphSettings.B2C.client_id}` +
+    `&grant_type=authorization_code` +
+    `&scope=${B2cGraphSettings.B2C.scope}` +
+    `&code=${code}` +
+    `&redirect_uri=${B2cGraphSettings.B2C.redirect_url}` +
+    `&code_verifier=${codeVerifier}`;
+
+  const response = http.post(url, "", {
+    tags: {
+      b2c_login: "GetToken",
+    },
+  });
+
+  return JSON.parse(response.body).id_token;
+};
+
+/**
+ * Signs in the user using the CombinedSigninAndSignup policy
+ * extraqct B2C code from response
+ * @function
+ * @param {b2cStateProperties} state
+ * @returns {string} code
+ */
+const CombinedSigninAndSignup = (state) => {
+  const url =
+    `https://${B2cGraphSettings.B2C.tenant_name}.b2clogin.com/${B2cGraphSettings.B2C.tenant_name}.onmicrosoft.com` +
+    `/${B2cGraphSettings.B2C.user_flow_name}/api/CombinedSigninAndSignup/confirmed` +
+    `?csrf_token=${state.csrfToken}` +
+    `&rememberMe=false` +
+    `&tx=StateProperties=${state.stateProperty}` +
+    `&p=${B2cGraphSettings.B2C.user_flow_name}`;
+
+  const response = http.get(url, "", {
+    tags: {
+      b2c_login: "CombinedSigninAndSignup",
+    },
+  });
+  const codeRegex = '.*code=([^"]*)';
+  return response.url.match(codeRegex)[1];
+};
+
+/**
+ * Signs in the user using the SelfAsserted policy
+ * @function
+ * @param {b2cStateProperties} state
+ * @param {string} username
+ * @param {string} password
+ */
+const SelfAsserted = (state, username, password) => {
+  const url =
+    `https://${B2cGraphSettings.B2C.tenant_name}.b2clogin.com/${B2cGraphSettings.B2C.tenant_id}` +
+    `/${B2cGraphSettings.B2C.user_flow_name}/SelfAsserted` +
+    `?tx=StateProperties=${state.stateProperty}` +
+    `&p=${B2cGraphSettings.B2C.user_flow_name}` +
+    `&request_type=RESPONSE` +
+    `&email=${username}` +
+    `&password=${password}`;
+
+  const params = {
+    headers: {
+      "X-CSRF-TOKEN": `${state.csrfToken}`,
+    },
+    tags: {
+      b2c_login: "SelfAsserted",
+    },
+  };
+  http.post(url, "", params);
+};
+
+/**
+ * Calls the B2C login page to get the state property
+ * @function
+ * @returns {b2cStateProperties} b2cState
+ */
+const GetState = () => {
+  const nonce = randomString(50);
+  const challenge = crypto.sha256(nonce.toString(), "base64rawurl");
+
+  const url =
+    `https://${B2cGraphSettings.B2C.tenant_name}.b2clogin.com` +
+    `/${B2cGraphSettings.B2C.tenant_id}/oauth2/v2.0/authorize?` +
+    `p=${B2cGraphSettings.B2C.user_flow_name}` +
+    `&client_id=${B2cGraphSettings.B2C.client_id}` +
+    `&nonce=${nonce}` +
+    `&redirect_uri=${B2cGraphSettings.B2C.redirect_url}` +
+    `&scope=${B2cGraphSettings.B2C.scope}` +
+    `&response_type=code` +
+    `&prompt=login` +
+    `&code_challenge_method=S256` +
+    `&code_challenge=${challenge}` +
+    `&response_mode=fragment`;
+
+  const response = http.get(url, "", {
+    tags: {
+      b2c_login: "GetCookyAndState",
+    },
+  });
+
+  const vuJar = http.cookieJar();
+  const responseCookies = vuJar.cookiesForURL(response.url);
+
+  const b2cState = {};
+  b2cState.codeVerifier = nonce;
+  b2cState.csrfToken = responseCookies["x-ms-cpim-csrf"][0];
+  b2cState.stateProperty = response.body.match('.*StateProperties=([^"]*)')[1];
+  return b2cState;
+};
+
+/**
+ * Helper function to get the authorization header for a user
+ * @param {user} user
+ * @returns {object} httpsOptions
+ */
+export const GetAuthorizationHeaderForUser = (user) => {
+  const token = GetB2cIdToken(user.username, user.password);
+
+  return {
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: "Bearer " + token,
+    },
+  };
+};
+
+export default function () {
+  const token = GetB2cIdToken("zimmi.94@live.de", "20B2cTest23");
+  console.log(token);
+}
+```
 </CodeGroup>
 
 ### Okta
