| title | titleSuffix | description | author | manager | ms.service | ms.topic | ms.date | ms.author | ms.subservice | zone_pivot_groups |
|---|---|---|---|---|---|---|---|---|---|---|
Set up sign-up and sign-in with a WeChat account |
Azure AD B2C |
Provide sign-up and sign-in to customers with WeChat accounts in your applications using Azure Active Directory B2C. |
garrodonnell |
CelesteDG |
azure-active-directory |
how-to |
09/16/2021 |
godonnell |
b2c |
b2c-policy-type |
[!INCLUDE active-directory-b2c-choose-user-flow-or-custom-policy]
[!INCLUDE active-directory-b2c-public-preview]
[!INCLUDE active-directory-b2c-customization-prerequisites]
- Get an approved Weixin Open Platform account at https://kf.qq.com.
- Get an approved application on Weixin Open Platform.
To enable sign-in for users with a WeChat account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in WeChat management center. If you don't already have a Weixin Open Platform account, you can get information at https://kf.qq.com. The Weixin Open Platform account and application must be approved to link WeChat as an identity provider to your user flow.
- Sign in to https://open.weixin.qq.com/ with your WeChat credentials.
- Select 管理中心 (management center).
- Follow the steps to register a new application.
- In the Development information section, set the "Authorization callback domain" to
your-tenant-name.b2clogin.com. - Ensure that the application status is "Approved".
- At the top of Application details, copy the APP ID and APP KEY. You need both of them to configure the identity provider to your tenant.
::: zone pivot="b2c-user-flow"
-
Sign in to the Azure portal with an account that has at least External Identity Provider Administrator privileges.
-
If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.
-
Choose All services in the top-left corner of the Azure portal, search for and select Azure AD B2C.
-
Select Identity providers, then select WeChat (Preview).
-
Enter a Name. For example, WeChat.
-
For the Client ID, enter the APP ID of the WeChat application that you created earlier.
-
For the Client secret, enter the APP KEY that you recorded.
-
Select Save.
:::image type="content" source="media/identity-provider-azure-ad-b2c/wechat-client-configuration.png" alt-text="Screenshot that shows the Configure social identity provider window, with completed form fields for social identity provider name, WeChat client ID, and app secret." lightbox="media/identity-provider-azure-ad-b2c/wechat-client-configuration.png":::
-
In your Azure AD B2C tenant, select User flows.
-
Click the user flow that you want to add the WeChat identity provider.
-
Under the Social identity providers, select WeChat.
-
Select Save.
:::image type="content" source="media/identity-provider-azure-ad-b2c/link-wechat-identity-provider.png" alt-text="Screenshot showing WeChat as a selected identity provider in the Identity Providers section." lightbox="media/identity-provider-azure-ad-b2c/link-wechat-identity-provider.png":::
-
To test your policy, select Run user flow.
-
For Application, select the web application named testapp1 that you previously registered. The Reply URL should show
https://jwt.ms. -
Select the Run user flow button.
-
From the sign-up or sign-in page, select WeChat to sign in with WeChat account.
If the sign-in process is successful, your browser is redirected to https://jwt.ms, which displays the contents of the token returned by Azure AD B2C.
::: zone-end
::: zone pivot="b2c-custom-policy"
You need to store the client secret that you previously recorded in your Azure AD B2C tenant.
- Sign in to the Azure portal.
- If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.
- Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
- On the Overview page, select Identity Experience Framework.
- Select Policy Keys and then select Add.
- For Options, choose
Manual. - Enter a Name for the policy key. For example,
WeChatSecret. The prefixB2C_1A_is added automatically to the name of your key. - In Secret, enter your client secret that you previously recorded.
- For Key usage, select
Signature. - Click Create.
To enable users to sign in using a WeChat account, you need to define the account as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated.
You can define a WeChat account as a claims provider by adding it to the ClaimsProviders element in the extension file of your policy.
-
Open the TrustFrameworkExtensions.xml.
-
Find the ClaimsProviders element. If it does not exist, add it under the root element.
-
Add a new ClaimsProvider as follows:
<ClaimsProvider> <Domain>wechat.com</Domain> <DisplayName>WeChat (Preview)</DisplayName> <TechnicalProfiles> <TechnicalProfile Id="WeChat-OAuth2"> <DisplayName>WeChat</DisplayName> <Protocol Name="OAuth2" /> <Metadata> <Item Key="ProviderName">wechat</Item> <Item Key="authorization_endpoint">https://open.weixin.qq.com/connect/qrconnect</Item> <Item Key="AccessTokenEndpoint">https://api.weixin.qq.com/sns/oauth2/access_token</Item> <Item Key="ClaimsEndpoint">https://api.weixin.qq.com/sns/userinfo</Item> <Item Key="scope">snsapi_login</Item> <Item Key="HttpBinding">GET</Item> <Item Key="AccessTokenResponseFormat">json</Item> <Item Key="ClientIdParamName">appid</Item> <Item Key="ClientSecretParamName">secret</Item> <Item Key="ExtraParamsInAccessTokenEndpointResponse">openid</Item> <Item Key="ExtraParamsInClaimsEndpointRequest">openid</Item> <Item Key="ResponseErrorCodeParamName">errcode</Item> <Item Key="external_user_identity_claim_id">unionid</Item> <Item Key="client_id">Your WeChat application ID</Item> </Metadata> <CryptographicKeys> <Key Id="client_secret" StorageReferenceId="B2C_1A_WeChatSecret" /> </CryptographicKeys> <OutputClaims> <OutputClaim ClaimTypeReferenceId="UserId" PartnerClaimType="unionid" /> <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="wechat.com" AlwaysUseDefaultValue="true" /> <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" /> </OutputClaims> <OutputClaimsTransformations> <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" /> <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" /> <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" /> <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" /> </OutputClaimsTransformations> <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" /> </TechnicalProfile> </TechnicalProfiles> </ClaimsProvider>
-
Set client_id to the application ID from the application registration.
-
Save the file.
[!INCLUDE active-directory-b2c-add-identity-provider-to-user-journey]
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<ClaimsProviderSelections>
...
<ClaimsProviderSelection TargetClaimsExchangeId="WeChatExchange" />
</ClaimsProviderSelections>
...
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
...
<ClaimsExchanges>
<ClaimsExchange Id="WeChatExchange" TechnicalProfileReferenceId="WeChat-OAuth2" />
</ClaimsExchanges>
</OrchestrationStep>[!INCLUDE active-directory-b2c-configure-relying-party-policy]
- Select your relying party policy, for example
B2C_1A_signup_signin. - For Application, select a web application that you previously registered. The Reply URL should show
https://jwt.ms. - Select the Run now button.
- From the sign-up or sign-in page, select WeChat to sign in with WeChat account.
If the sign-in process is successful, your browser is redirected to https://jwt.ms, which displays the contents of the token returned by Azure AD B2C.
::: zone-end