This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 1%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERD%3C/text%3E%3C/svg%3E)
I'm looking for a method to log in a user using a link sent by mail.
The Sign-in with a magic link sample policy comes very close to what I want to achieve.
My first issue with it is that the process is triggered from a button on the sign-in page. Because I need to provide additional information I need to generate the link and send the mails from my web application instead. That seems reasonably easy to solve though, B2C just sends the info to the IdentityController so I could use this same code anywhere else.
But my main issue with this sample is that it requires the web app to set up a certificate and host an OIDC endpoint. So the web app becomes the source of trust.
What even is the point of B2C if it's not generating or validating the tokens?
It seems like I'm adding an extra attack surface on our application. One of the reasons we use B2C is so we don't have to deal with the dangers of authenication.
Or am I seeing this wrong?
Another option I was looking at is the OAuth 2.0 On-Behalf-Of flow. That does use B2C as the source of trust but is not intended to create user tokens. It's for authenticating one app with the parent app. Would it be a bad idea to try to use such an OBO access token to authenticate a user instead?
Thanks to "Jas Suri" on stackoverflow for pointing out that the answer was in the description of the B2C sample I linked all along. I couldn't quite connect the dots myself.
https://stackoverflow.com/questions/60826495/generating-a-magic-login-link-with-azure-b2c-as-the-authority/60831730#60831730
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 28.000000000000004%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESJ%3C/text%3E%3C/svg%3E)
@RobinDeprins-7092 Can you please provide bit more details how did you do that. We are also looking for same solution, i.e we want to embed access token in emails links when user click on the link, the user should be logged in automatically. And we are looking into Magic link process but want to avoid that web application for generating access tokens. So how did you manage to put certificates with B2C and how did you generated those tokens from code.
@shabirjan2019 This site wans't letting me post a long reply so I gave some more detail as a second answer on this page
We generate an id 'hint' token with the code found here
https://github.com/azure-ad-b2c/samples/blob/master/policies/invite/source-code/AzureADB2C.Invite/Controllers/HomeController.cs
This is not a login token yet, it just tells B2C you authorize this action.
Then with a custom policy based on this you validate that token
https://github.com/azure-ad-b2c/samples/blob/master/policies/sign-in-with-magic-link/policy/SignInWithMagicLink.xml
You'll need to upload the same signing key here so that B2C can verify that the hint token is valid. Then it looks up the user and generates a login JWT. This second key generation can be done with another key or you reuse the same key.
If all is well you'll get redirected to your reply url with a valid token. In our case we were using the built-in B2C policies for our normal login flow and you cannot access the secrets of those from a custom policy. So our normal login enpoint could not be used and we made a secondary one specifically for magic links
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 98%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERT%3C/text%3E%3C/svg%3E)
I am facing a similar issue, if you has any guidance it would be very helpful. I am having a "magic-link" on another application --> that builds the URL with id_token_hint.
I have a policy that gets the email Id from the id_token_hint and generates a jwt id_token (verified that it has pulled all the user-info).
But from this point the normal sign-In is not working (I am expecting an access_token that will allow silent login - without login prompt-) to my application. <<This step>> . I use a normal signin/signup custom policy flow for my SPA application. The id_token "magic-link" is redirecting to my SAP signIn-SIgnUp login flow. Any guidance, code sample would be very helpful Thanks in advance.