2

I have a WebAPI (A) hosted on Azure protected by Azure B2C (B) which is being called by a mobile app (C) - this is all working correctly.

I now want to allow third parties to access my API via API Management on the same platform but I am getting extremely confused with authentication and "audiences".

The API Management developer portal has been configured as per the Azure documentation so that when the developer makes test calls on the portal it prompts for authentication using the B2C domain (B). To do this it uses an application registered against the B2C domain.

However when I want to implement the API from a third party system (D) I need to allow the system to impersonate a user when calling my API (A) so that operations happen in the context of an authenticated user on the domain (B).

I know B2C does not yet support "On Behalf Of" as a valid flow so I use hellojs to obtain an access token on the client which I pass to the third party system API via a custom head which it then appends as an Authorization header to it's call to the API.

The API Management product expects a "subscription key" to identify the products the third party implementation can use.

  1. Does this mean with regards to the authentication part that every third party system using my API would use the same oAuth "audience" id and therefore the same Active Directory app?

  2. It makes more sense to me that each third party implementation would have a different app on Azure Ad but that would mean my Web API would need to recognise a huge number of audience ids and redirect uris?

Finally, how do i "hide" the Web API endpoints from public use - surely use of the audience id would allow people to circumvent the API Management product?

Apologies if I have mixed any terminology up.

Improve this question

2 Answers 2

Reset to default
1

1) Does this mean with regards to the authentication part that every third party system using my API would use the same oAuth "audience" id and therefore the same Active Directory app?

They will use the same resource/scope id (i.e. audience) e.g. https://yourwebapiAppIDURI/Read but they would all have their own application IDs.

2) It makes more sense to me that each third party implementation would have a different app on Azure Ad but that would mean my Web API would need to recognise a huge number of audience ids and redirect uris?

Yes they should register their applications as clients to your B2C Auth server. The 3rd party apps should be setup in the AAD portal to have delegated access to your web API (. "Access yourwebAPIname"). If your web API exposes any scopes access to those can be delegated too.

Now when they start the token request by redirecting the user to your Auth Server, they should provide their client id and a resource/scope value of your web APIs App ID URL e.g. https://yourwebapiAppIDURI/Read.

That should result in a token with:

aud value of the Application ID associated with https://yourwebapiAppIDURI/

scp value of Read

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks @iandayman. Could you clarify resource/scope id? Azure documentation always talks about the "audience" value being the application id (it's a guid string) but you are suggesting its more like a url? Also, how can they register their applications as clients - api management doesnt allow clients to be created on the Active Directory, do i need to do this manually each time?
This github repo has an example: github.com/Azure-Samples/…
Basically you enter your Web APIs App ID URI in the scope on the request, but as you say the audience in the token will be the corresponding application ID Guid associated with that web API. Still means API-Management only needs to check for the Guid of your Web API in the audience.
Ok - I think I've got this now. The only thing left that doesn't appear to be happening is it triggering the consent screen? I've specified "openid" and then the scopes I need in the scope parameter and I can see them being passed but I never see the consent screen?
0

OK, so B2C doesnt use consent:

Azure AD B2C does not ask your client application users for their consent. Instead, all consent is provided by the admin, based on the permissions configured between the applications described above. If a permission grant for an application is revoked, all users who were previously able to acquire that permission will no longer be able to do so.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.