This article describes how to add authentication for a Spotify account to an Azure AD B2C custom policy.
Architecture
The following diagram illustrates the authentication flow for a Spotify account to an Azure AD B2C custom policy.
For information about Spotify and OAuth 2.0, see https://developer.spotify.com/documentation/general/guides/authorization/.
Prerequisites
- If you don’t already have one, then you must create an Azure AD B2C tenant that is linked to your Azure subscription.
- Prepare your Azure AD B2C tenant by creating the token signing and encryption keys and creating the Identity Experience Framework applications.
- Download one of the starter packs for Azure AD B2C from Microsoft’s GitHub repository.
Configure a Spotify application
- Log in to https://developer.spotify.com/dashboard/applications.
- On the Dashboard page, select Create an app.
- On the Create an app dialog, enter the following fields and then select Create app:
- App name
- App description
- On the app page, copy the Client ID and Client Secret fields.
- On the app page, select Edit settings.
- In the Edit settings dialog, enter the following fields and then select Save:
- Redirect URIs: Enter either
https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp
if you use the built-in domain orhttps://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp
if you use a custom domain for the Redirect URIs field. Replaceyour-tenant-name
with your tenant name andyour-domain-name
with your custom domain.
- Redirect URIs: Enter either
Add the client secret for the Spotify application as a policy key
- Sign in to the Azure AD B2C portal.
- Select Identity Experience Framework.
- Select Policy keys.
- Select Add.
- In the Create a key section, enter the following fields and then select Create:
- Options:
Manual
- Name:
SpotifyClientSecret
- Secret: Paste the Client secret field that was copied in the previous section.
- Options:
Configure Spotify as an identity provider
- Open the TrustFrameworkExtensions.xml file.
- Find the ClaimsProviders element. If it doesn’t exist, then add it to the TrustFrameworkPolicy element.
- Add the following ClaimsProvider element to the ClaimsProviders element. Replace
your-spotify-client-id
with the Client ID field that was copied in the Configure a Spotify application section. Replaceyour-function-app-name
with the function app name that was created in the Create the Azure function section.
<ClaimsProvider>
<Domain>spotify.com</Domain>
<DisplayName>Spotify</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="Spotify-OAuth2">
<DisplayName>Spotify</DisplayName>
<Protocol Name="OAuth2" />
<Metadata>
<Item Key="client_id">your-spotify-client-id</Item>
<Item Key="authorization_endpoint">https://accounts.spotify.com/authorize</Item>
<Item Key="AccessTokenEndpoint">https://accounts.spotify.com/api/token</Item>
<Item Key="ClaimsEndpoint">https://api.spotify.com/v1/me</Item>
<Item Key="scope">user-read-email</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="token_endpoint_auth_method">client_secret_basic</Item>
<Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_SpotifyClientSecret" />
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="spotify.com" AlwaysUseDefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="id" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="display_name" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
Add a user journey
- Open the TrustFrameworkBase.xml file.
- Copy the UserJourney element that includes
Id="SignUpOrSignIn"
. - Open the TrustFrameworkExtensions.xml file and find the UserJourneys element. If it doesn’t exist, then add it to the TrustFrameworkPolicy element.
- Paste the UserJourney element that was copied in step 2 to the UserJourneys element and replace the Id attribute for this UserJourney element from
"SignUpOrSignIn"
to"SpotifySignUpOrSignIn"
.
Add the identity provider to the user journey
- Add the claims provider that was configured in the Configure Spotify as an identity provider section to the user journey that was added in the previous section.
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<ClaimsProviderSelections>
...
<ClaimsProviderSelection TargetClaimsExchangeId="SpotifyExchange" />
</ClaimsProviderSelections>
...
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
...
<ClaimsExchanges>
<ClaimsExchange Id="SpotifyExchange" TechnicalProfileReferenceId="Spotify-OAuth2" />
</ClaimsExchanges>
...
</OrchestrationStep>
Configure the relying party policy
- Open the SignUpOrSignIn.xml file.
- Replace the ReferenceId attribute for the DefaultUserJourney element from
"SignUpOrSignIn"
to"
.
SignUpOrSignIn"Spotify
<RelyingParty>
<DefaultUserJourney ReferenceId="SpotifySignUpSignIn" />
...
</RelyingParty>
Upload and test the custom policy
- Upload all policy files in the following order to your Azure AD B2C tenant:
- TrustFrameworkBase.xml
- TrustFrameworkLocalization.xml
- TrustFrameworkExtensions.xml
- SignUpOrSignIn.xml
- Test the B2C_1A_signup_signin policy from your Azure AD B2C tenant.