Using Azure AD B2C Resource Owner Password Credentials (ROPC) how do you protect the API

Question

I am new to azure and my intention initially was to have a standalone API which would be protected by client credentials and then any app out in the world if they had the client credentials would get access to the API endpoints. It turns out that Azure AD B2C does not support the client credentials method so I am now implementing the ROPC method.

I followed the steps as mentioned here and when I run the test POST using Postman I get back a valid access token.

I am struggling to be able protect the API using the access token during API configuration. I have the code I am working on here.

There are two projects in the repository. One is a console app which is supposed to mimic a "out in the world random app which has capabilities of hitting an API endpoint and haver the Azure B2C client ID/ scopes and required ROPC details". After doing a POST I get the access token and paste in the client app which if successfully authenticated and authorized should hit the API endpoint and return values.

Any suggestions? I am about done beating my head on this!!

Tutorial followed --> here

Code For Reference --> here

Answer 1

We just added client credential support. https://learn.microsoft.com/en-us/azure/active-directory-b2c/client-credentials-grant-flow?pivots=b2c-custom-policy