This article describes how to add authentication for a Figma account to an Azure AD B2C custom policy.
Architecture
The following diagram illustrates the authentication flow for a Figma account to an Azure AD B2C custom policy.
For information about Figma and OAuth 2.0, see https://www.figma.com/developers/api#oauth2.
Prerequisites
- If you don’t already have one, then you must create an Azure AD B2C tenant that is linked to your Azure subscription.
- Prepare your Azure AD B2C tenant by creating the token signing and encryption keys and creating the Identity Experience Framework applications.
- Download one of the starter packs for Azure AD B2C from Microsoft’s GitHub repository.
Configure a Figma application
- Log in to https://www.figma.com/developers/apps.
- In the home page, in the Registered apps section, select Create a new app.
- Enter the following fields and then select Save:
- Logo
- App name
- Website URL
- Callback: Enter either
https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp
if you use the built-in domain orhttps://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp
if you use a custom domain for the Callback field. Replaceyour-tenant-name
with your tenant name andyour-domain-name
with your custom domain.
- Copy the Client ID and Client Secret fields.
Add the client secret for the Figma application as a policy key
- Sign in to the Azure AD B2C portal.
- Select Identity Experience Framework.
- Select Policy keys.
- Select Add.
- In the Create a key section, enter the following fields and then select Create:
- Options:
Manual
- Name:
FigmaClientSecret
- Secret: Paste the Client Secret field that was copied in the previous section.
- Options:
Configure Figma as an identity provider
- Open the TrustFrameworkExtensions.xml file.
- Find the ClaimsProviders element. If it doesn’t exist, then add it to the TrustFrameworkPolicy element.
- Add the following ClaimsProvider element to the ClaimsProviders element. Replace
your-figma-client-id
with the Client ID field that was copied in the Configure a Figma application section.
<ClaimsProvider>
<Domain>figma.com</Domain>
<DisplayName>Figma</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="Figma-OAuth2">
<DisplayName>Figma</DisplayName>
<Protocol Name="OAuth2" />
<Metadata>
<Item Key="client_id">your-figma-client-id</Item>
<Item Key="authorization_endpoint">https://www.figma.com/oauth</Item>
<Item Key="AccessTokenEndpoint">https://www.figma.com/api/oauth/token</Item>
<Item Key="ClaimsEndpoint">https://api.figma.com/v1/me</Item>
<Item Key="scope">file_read</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_FigmaClientSecret" />
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="figma.com" AlwaysUseDefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="id" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="handle" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
Add a user journey
- Open the TrustFrameworkBase.xml file.
- Copy the UserJourney element that includes
Id="SignUpOrSignIn"
. - Open the TrustFrameworkExtensions.xml file and find the UserJourneys element. If it doesn’t exist, then add it to the TrustFrameworkPolicy element.
- Paste the UserJourney element that was copied in step 2 to the UserJourneys element and replace the Id attribute for this UserJourney element from
"SignUpOrSignIn"
to"FigmaSignUpOrSignIn"
.
Add the identity provider to the user journey
- Add the claims provider that was configured in the Configure Figma as an identity provider section to the user journey that was added in the previous section.
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<ClaimsProviderSelections>
...
<ClaimsProviderSelection TargetClaimsExchangeId="FigmaExchange" />
</ClaimsProviderSelections>
...
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
...
<ClaimsExchanges>
<ClaimsExchange Id="FigmaExchange" TechnicalProfileReferenceId="Figma-OAuth2" />
</ClaimsExchanges>
...
</OrchestrationStep>
Configure the relying party policy
- Open the SignUpOrSignIn.xml file.
- Replace the ReferenceId attribute for the DefaultUserJourney element from
"SignUpOrSignIn"
to"FigmaSignUpOrSignIn"
.
<RelyingParty>
<DefaultUserJourney ReferenceId="FigmaSignUpSignIn" />
...
</RelyingParty>
Upload and test the custom policy
- Upload all policy files in the following order to your Azure AD B2C tenant:
- TrustFrameworkBase.xml
- TrustFrameworkLocalization.xml
- TrustFrameworkExtensions.xml
- SignUpOrSignIn.xml
- Test the B2C_1A_signup_signin policy from your Azure AD B2C tenant.