CODEWITHSUNDEEP
oauth-2.0azure-ad-b2cazure-api-management
RNDThoughts
RNDThoughts

Reputation: 1034

Authorisation with Azure API Management and oAuth2

I have a WebAPI (A) hosted on Azure protected by Azure B2C (B) which is being called by a mobile app (C) - this is all working correctly.

I now want to allow third parties to access my API via API Management on the same platform but I am getting extremely confused with authentication and "audiences".

The API Management developer portal has been configured as per the Azure documentation so that when the developer makes test calls on the portal it prompts for authentication using the B2C domain (B). To do this it uses an application registered against the B2C domain.

However when I want to implement the API from a third party system (D) I need to allow the system to impersonate a user when calling my API (A) so that operations happen in the context of an authenticated user on the domain (B).

I know B2C does not yet support "On Behalf Of" as a valid flow so I use hellojs to obtain an access token on the client which I pass to the third party system API via a custom head which it then appends as an Authorization header to it's call to the API.

The API Management product expects a "subscription key" to identify the products the third party implementation can use.

  1. Does this mean with regards to the authentication part that every third party system using my API would use the same oAuth "audience" id and therefore the same Active Directory app?

  2. It makes more sense to me that each third party implementation would have a different app on Azure Ad but that would mean my Web API would need to recognise a huge number of audience ids and redirect uris?

Finally, how do i "hide" the Web API endpoints from public use - surely use of the audience id would allow people to circumvent the API Management product?

Apologies if I have mixed any terminology up.

Upvotes: 2

Views: 3582

Answers (2)

RNDThoughts
RNDThoughts

Reputation: 1034

OK, so B2C doesnt use consent:

Azure AD B2C does not ask your client application users for their consent. Instead, all consent is provided by the admin, based on the permissions configured between the applications described above. If a permission grant for an application is revoked, all users who were previously able to acquire that permission will no longer be able to do so.

Upvotes: 0

iandayman
iandayman

Reputation: 4467

1) Does this mean with regards to the authentication part that every third party system using my API would use the same oAuth "audience" id and therefore the same Active Directory app?

They will use the same resource/scope id (i.e. audience) e.g. https://yourwebapiAppIDURI/Read but they would all have their own application IDs.

2) It makes more sense to me that each third party implementation would have a different app on Azure Ad but that would mean my Web API would need to recognise a huge number of audience ids and redirect uris?

Yes they should register their applications as clients to your B2C Auth server. The 3rd party apps should be setup in the AAD portal to have delegated access to your web API (. "Access yourwebAPIname"). If your web API exposes any scopes access to those can be delegated too.

Now when they start the token request by redirecting the user to your Auth Server, they should provide their client id and a resource/scope value of your web APIs App ID URL e.g. https://yourwebapiAppIDURI/Read.

That should result in a token with:

aud value of the Application ID associated with https://yourwebapiAppIDURI/

scp value of Read

Upvotes: 1

Related Questions