Grant access to api from native client

Question

I have a mobile app using Azure AD B2C which works fine. I can create an account, login, forgot password etc. That's all fine.

The mobile app stores data on the device.

The mobile app should also be able to push data to a remote database and trigger various functions via a .net core web api.

The mobile app should only be able to do that if it authorises itself successfully with the api using the credentials, or access tokens, it has from the login.

I assumed that this could be implemented easily (because, why couldn't it be?)

But now, after weeks of searching, hours of video-watching, 10's of aborted [test] projects, & 1000's of user accounts; I'm not sure whether the thing I want to do is a thing that can be done or should be done.

Thoughts?

Answer 1

Yes, this is of course possible :)

You can check the code samples for some examples of how to do it: https://learn.microsoft.com/en-us/azure/active-directory-b2c/code-samples.

Your mobile app can acquire an access token for itself. You'll have to define in B2C that your app contains an API, and then define the app ID URI (an identifier for the API, not a URL). You can then define scopes that API exposes. These can be different permissions that applications calling the API can have.

In your mobile app you then acquire an access token using those scopes. This token can then be passed to HTTP requests to your API, which the API has to authenticate.

Do ask if you want to know about something specific.