Get in touch

Sign-up and sign-in with Spotify using Azure AD B2C

This article describes how to add authentication for a Spotify account to an Azure AD B2C custom policy.

Architecture

The following diagram illustrates the authentication flow for a Spotify account to an Azure AD B2C custom policy.

For information about Spotify and OAuth 2.0, see https://developer.spotify.com/documentation/general/guides/authorization/.

Prerequisites

  1. If you don’t already have one, then you must create an Azure AD B2C tenant that is linked to your Azure subscription.
  2. Prepare your Azure AD B2C tenant by creating the token signing and encryption keys and creating the Identity Experience Framework applications.
  3. Download one of the starter packs for Azure AD B2C from Microsoft’s GitHub repository.

Configure a Spotify application

  1. Log in to https://developer.spotify.com/dashboard/applications.
  2. On the Dashboard page, select Create an app.
  3. On the Create an app dialog, enter the following fields and then select Create app:
    1. App name
    2. App description
  4. On the app page, copy the Client ID and Client Secret fields.
  5. On the app page, select Edit settings.
  6. In the Edit settings dialog, enter the following fields and then select Save:
    1. Redirect URIs: Enter either https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp if you use the built-in domain or https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp if you use a custom domain for the Redirect URIs field. Replace your-tenant-name with your tenant name and your-domain-name with your custom domain.

Add the client secret for the Spotify application as a policy key

  1. Sign in to the Azure AD B2C portal.
  2. Select Identity Experience Framework.
  3. Select Policy keys.
  4. Select Add.
  5. In the Create a key section, enter the following fields and then select Create:
    1. Options: Manual
    2. Name: SpotifyClientSecret
    3. Secret: Paste the Client secret field that was copied in the previous section.

Configure Spotify as an identity provider

  1. Open the TrustFrameworkExtensions.xml file.
  2. Find the ClaimsProviders element. If it doesn’t exist, then add it to the TrustFrameworkPolicy element.
  3. Add the following ClaimsProvider element to the ClaimsProviders element. Replace your-spotify-client-id with the Client ID field that was copied in the Configure a Spotify application section. Replace your-function-app-name with the function app name that was created in the Create the Azure function section.
<ClaimsProvider>
  <Domain>spotify.com</Domain>
  <DisplayName>Spotify</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="Spotify-OAuth2">
      <DisplayName>Spotify</DisplayName>
      <Protocol Name="OAuth2" />
      <Metadata>
        <Item Key="client_id">your-spotify-client-id</Item>
        <Item Key="authorization_endpoint">https://accounts.spotify.com/authorize</Item>
        <Item Key="AccessTokenEndpoint">https://accounts.spotify.com/api/token</Item>
        <Item Key="ClaimsEndpoint">https://api.spotify.com/v1/me</Item>
        <Item Key="scope">user-read-email</Item>
        <Item Key="HttpBinding">POST</Item>
        <Item Key="token_endpoint_auth_method">client_secret_basic</Item>
        <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
        <Item Key="UsePolicyInRedirectUri">false</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="client_secret" StorageReferenceId="B2C_1A_SpotifyClientSecret" />
      </CryptographicKeys>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
        <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="spotify.com" AlwaysUseDefaultValue="true" />
        <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="id" />
        <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="display_name" />
        <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
        <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
        <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
      </OutputClaimsTransformations>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

Add a user journey

  1. Open the TrustFrameworkBase.xml file.
  2. Copy the UserJourney element that includes Id="SignUpOrSignIn".
  3. Open the TrustFrameworkExtensions.xml file and find the UserJourneys element. If it doesn’t exist, then add it to the TrustFrameworkPolicy element.
  4. Paste the UserJourney element that was copied in step 2 to the UserJourneys element and replace the Id attribute for this UserJourney element from "SignUpOrSignIn" to "SpotifySignUpOrSignIn".

Add the identity provider to the user journey

  1. Add the claims provider that was configured in the Configure Spotify as an identity provider section to the user journey that was added in the previous section.
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
  <ClaimsProviderSelections>
    ...
    <ClaimsProviderSelection TargetClaimsExchangeId="SpotifyExchange" />
  </ClaimsProviderSelections>
  ...
</OrchestrationStep>

<OrchestrationStep Order="2" Type="ClaimsExchange">
  ...
  <ClaimsExchanges>
    <ClaimsExchange Id="SpotifyExchange" TechnicalProfileReferenceId="Spotify-OAuth2" />
  </ClaimsExchanges>
  ...
</OrchestrationStep>

Configure the relying party policy

  1. Open the SignUpOrSignIn.xml file.
  2. Replace the ReferenceId attribute for the DefaultUserJourney element from "SignUpOrSignIn" to "SpotifySignUpOrSignIn".
<RelyingParty>
  <DefaultUserJourney ReferenceId="SpotifySignUpSignIn" />
  ...
</RelyingParty>

Upload and test the custom policy

  1. Upload all policy files in the following order to your Azure AD B2C tenant:
    1. TrustFrameworkBase.xml
    2. TrustFrameworkLocalization.xml
    3. TrustFrameworkExtensions.xml
    4. SignUpOrSignIn.xml
  2. Test the B2C_1A_signup_signin policy from your Azure AD B2C tenant.
Picture of Chris Padgett

Chris Padgett

More insights

10a2ec9a-83eb-4432-abe3-b09195d7b526

Automating Azure DevOps Pipeline Onboarding- Because Clicking is Boring

The First Step in any AI Use Case: Defining Success

The First Step in any AI Use Case: Defining Success

Azure Virtual Desktop Benefits

Terraform Tips: Managing Azure Virtual Desktop Session Hosts with Precision

GitHub generated release notes

DevOps: Enhanced Release Automation with GitHub’s AI-Powered Release Notes

Building a Star Wars E-Commerce Empire with GitHub Spark

Building a Star Wars E-Commerce Empire with GitHub Spark: A Weekend DevOps Story

Escaping the AI Graveyard - How to Rethink AI Adoption

Escaping the AI Graveyard: How to Rethink AI Adoption

Get started on the right path to cloud success today. Our Crew are standing by to answer your questions and get you up and running.

CONTACT US