Authorization to web API for external service using Azure B2C

Question

I have problem with getting authorization for external services using Azure B2C.

I have a web API in ASP.NET Core and React app on front. Thing is, I also need some external services (automated) accessing this API. And while I can have 'normal' flow on front end (where user types in username and password) this won't work for those services, as they are not users (can't type in password, not even mentioning they won't open a web page).

I've tried using app secrets for getting authorization tokens, but this way I can't really tell which service is connecting, as they have the same claims, no matter which secret is used for token generation. Am I missing something and there IS a way to tell which one is authorized, or do I need completely different approach?

Answer 1

The way we have usually achieved this is to:

1. Create a separate app registration not meant for B2C users
2. Define one or more app permissions on this (appRoles)
3. Assign those app permissions to apps in the tenant that need to call the API as the app instead of on behalf of a user
4. Acquire token from the AAD token endpoint with client credentials flow (not B2C token endpoint)
5. Authorize the request with a second authentication scheme configured on the app to accept tokens issued by the underlying Azure AD tenant (in addition to B2C policy) and check that the token contains the defined app permission

This approach was necessary at the time at least since B2C did not support client credentials flow in itself (and I think still doesn't). We usually didn't care which client app was connecting, since we can see what app permissions have been granted to it from the roles claim in the token. But you can identify the calling app from the appid claim if you need that info for authorization.