Single Sign on - Multiple application azure AD B2C

Question

I am trying to have two applications(app1 and app2) in Azure AD B2C, which is configured for Web api and another application that is configured for mobile app.

I need my mobile app to talk to app1, get the access token, using the app1's application-id and scope. Then use the access token got from app1 to communicate with app2. I enabled SSO in tenant level in the policies but it still says "Authorization denied" for the access token provided.

How can I reuse the access token got from one application to be used in another application.

Answer 1

We have been trying to get through this limitation (or function as designed for security) of B2C AD from weeks.

However, Microsoft does not support it.

We did not want to display MS login page to mobile user on mobile login screen (UX gets compromised). But MS says there is no way possible to avoid it. See response from MS on support ticket.

For more information: Azure AD B2C: Requesting access tokens

You will also benefit reading authentication scenarios supported. We are after something similar to this what they call "Daemon or Server Application to Web API".

In this diagram, Server Application = to mobile application in our case. However you will notice that in this scenario it is assumed that the user is already authenticated (via interactive flow).

We tried to act smart, thinking we can write a Auth web API which mobile will hit to obtain token and then pass this token to our business logic API (secured by B2C AD). We obtained access and refresh token somehow, however the test web app (mobile app) when pass this access token to our business logic API, it fails to validate the token. B2C AD comes fighting for it. Our analysis is not yet complete.

However, I am certain what we are trying to accomplish is not supported in B2C AD.

Hope this helps (I would actually advise you to look for other solution). I will be happy if someone can suggest a way to solve this obvious business problem.