We have an Azure AD B2C registered web app and an Azure AD registered Web API - is it possible to make authenticated calls to the Azure AD Web API from the Azure B2C Web app? Can it be done?
We have tried a few different ways but not having much luck - including Access Control Lists but it doesn't accept the token passed as says it is invalid.
You must register two applications in the Azure AD B2C directory to enable your app to sign in with Azure AD B2C and call a web API.
Your app can sign in with Azure AD B2C via the web, mobile, or SPA application registration. The Application ID, also known as the client ID, is generated during the app registration process and uniquely identifies your application (for example, App ID: 1).
Your app can use the web API registration to call a protected web API. - The web API permissions (scopes) are exposed as part of the registration . The Application ID is generated during the app registration process, and it uniquely identifies your web API (for example, _App ID: 2 ).
For more information, please refer this link.
Related
I have the following scenario:
An organization has an internal application, X, which is registered under the 'main' tenant, allowing employees to utilize it.
App X has an API exposed for other applications (which are also registered under the main organization tenant) to used, and thus, this is all setup in AD.
A new B2C tenant has been created, where another public facing application, Y, will be registered.
How do I allow my App Registration for Y in my B2C tenant to use the exposed API of X?
Any feedback would be appreciated.
Edit 1:
I'm assuming I'd need to setup a Daemon auth flow, as the backend of Y will be authenticating with X as the app itself, and not as or on behalf of the user logged into Y.
Edit 2:
After some looking into this today, I'm considering creating an AD App Registration for Y in the main organization of X, allowing me to set up any connections that need to be made there, and I'd update the backend of Y to make a call as a Daemon to X, passing all the relevant information and client secret.
Seems a bit unusual, so will look for alternatives, but would also appreciate some feedback from someone who has more experience :)
Edit 3:
To clarify, I am looking to facilitate the communication between backend applications between two tenants, where one is a B2C tenant, and the other is an internal organization tenant.
This can be achieved using multi-tenancy. Both the applications need to register as multi-tenant application.
1.In Tenant A - Create an app registration as multi-tenant application in tenant A (eg: TenantA) and expose it as an API (api://app-id) and add the app roles in the application.
2.In Tenant B - Create an app registration as multi-tenant application in tenant B and note the client-id of the application.
3.The client id of application in Tenant B need to be added in known client application in the manifest of application registered in tenant A.
4.Provide consent to the application and permission in Tenant B to create the service principal using https://login.microsoftonline.com/common/adminconsent?client_id=clientIdOfTenantA&redirect_uri=redirectURIOfTenantA
5.In Tenant B, service principal of Tenant A has been created under Enterprise applications
6.Now tenant A is available in Tenant B. You can go ahead and make the API exposed in tenant A to the tenant B.
• Yes, you can surely allow the App registration considered Y in Azure AD B2C tenant to use the exposed API of another ‘App registration’ named X in an Azure AD tenant. For that purpose, you will have to configure the ‘Application Y’ registered in Azure AD B2C tenant as a ‘multitenant’ application and use it to start an authentication request to the authorization endpoint via a user flow. Thus, in here, the user flow defines and controls the user experience. After users complete the user flow, Azure AD B2C generates a token and then redirects users back to your application.
For this purpose, you will have to configure a user flow in your Azure AD B2C application.
Please refer to the below snapshots and steps defined for more details on this: -
a) You might be having a front end and a back end to your application registered for authentication purposes with your web app. The backend application might have the authentication with the application registration X in an Azure AD tenant while the frontend application might have the authentication with the application registration Y registered in the Azure AD B2C tenant.
Then, you will have to modify the front-end code for the web API and the back-end code for the web API as given in the below relevant link: -
https://learn.microsoft.com/en-us/azure/app-service/tutorial-auth-aad?pivots=platform-windows#call-back-end-api-from-front-end
For further configuring the authentication and authorization for the two apps, you can configure the front-end app to generate an access token that you can use to make authenticated calls to the back-end app. For this purpose, you will have to configure Azure AD as the identity provider with the app service configured for the front end as well as the back end as given in the link below: -
https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad
b) Once the above has been done, ensure that you are granting front end app access to the back end as below through the ‘Authentication’ section in the Azure AD app: -
Then configure the app service to return a usable access token for the front-end app to access the back-end app with the required permissions for configuring the App service authentication and authorization on behalf of the ‘App registration Y’ in the Azure AD B2C tenant for it to access the ‘App registration X’ in Azure AD tenant as below by adding the scope parameter to the authentication setting ‘identityProviders.azureActiveDirectory.login.loginParameters’. Replace and in the below commands: -
authSettings=$(az webapp auth show -g myAuthResourceGroup -n <front-end-app-name>)
authSettings=$(echo "$authSettings" | jq '.properties' | jq '.identityProviders.azureActiveDirectory.login += {"loginParameters":["scope=openid profile email offline_access api://<back-end-client-id>/user_impersonation"]}')
az webapp auth set --resource-group myAuthResourceGroup --name <front-end-app-name> --body "$authSettings"
The commands effectively add a ‘loginParameters’ property with additional custom scopes. Here's an explanation of the requested scopes: -
openid, profile, and email are requested by App Service by default already.
For information, see OpenID Connect Scopes: -
api://<back-end-client-id>/user_impersonation is an exposed API in your back-end app registration. It's the scope that gives you a JWT token that includes the back-end app as a token audience.
offline_access is included here for convenience (in case you want to refresh tokens)
Thus, thereby you can call the back-end API (Azure AD app registration) from the front-end API (Azure AD B2C app registration) by injecting a X-MS-TOKEN-AAD-ACCESS-TOKEN header to each authenticated request as shown below: -
https://learn.microsoft.com/en-us/azure/app-service/tutorial-auth-aad?pivots=platform-windows#call-api-securely-from-server-code
Thus, in this way, you can surely expose an API for an application registered in Azure AD B2C for it to access the application in Azure AD.
I am using Azure B2C in my react SPA to sign in the user with external identity providers e.g. Google and Facebook. I have some .net core web API that needs to be called by signed-in users only. I have followed Azure documents for my scenario. As per the docs, I need to register another AD B2C application for web API security and my client app needs to acquire the token with the scope defined in the server-side AD app and pass that token while calling the web API.
Why can't I use the same access token received from azure AD B2C as part of the sign-in flow to pass it to my web API and validate it on the server side to secure the Web API? In that case, I don't need to create another server-side AD application for securing the API.
You can, but it’s simply against the protocol spec. Each client needs to be registered and have a unique client Id/AppId.
Plus if you do it with one App Registration, your logs would never differentiate access to your front end vs access to your api.
I have a single page application hosted as a static on Azure storage account. The SPA is registered in AD B2C, and it is possible to log in alright using msal. Now I want to call my REST API, also hosted on Azure, but only allow authorization if logged in. Should I register the API as a separate app in B2C, or should I use the same registration when setting up the WebApiAuthentication?
You should register the Web API as a separate app registration and expose scopes via the "Expose an API" tab in B2C. Once you create the scopes, you can grant access to your client app registration using the "API Permissions" tab. You will be required to grant admin consent at that time.
Refer to How to access two separate Web APIs protected using Azure AD B2C from a web app if you are creating multiple services that are called by the same client.
I don’t really understand the difference between Azure AD B2C Application and Azure App Registration Application.
I can see some of my Azure AD B2C applications in the Azure App Registration page, but the opposite is not true.
The good part of Azure App Registration is that you can request the Graph API if you have the right permissions and it’s not true for an Azure AD B2C Application.
https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
But it seems to be not possible to be authenticated with Azure AD B2C with an Azure App Registration application.
Do you know if there is a possibly to have all-in-one ? An application which can authorize AAD B2C authentication and request the Graph API.
The two sets of apps are completely independent of each other.
You should not be able to see any of the Azure AD B2C apps in the Application Registration portal (ARP). The only app that may be visible is the 'b2c-extensions-app', which is a system application that B2C uses to store information about users. Likewise, the apps in the ARP portal should not be visible in the B2C portal.
Unfortunately it is not possible to have an "all-in-one" app at the moment. You should vote for the feature here.
Depending on your scenario, you could register an application in both the portals, and use the right one depending on the request you need to make.
1) Currently it is not possible to use the same app registration for both Microsoft Graph API and Azure AD B2C.
a. Azure AD B2C Apps must be registered using the Azure AD B2C blade in the Azure portal.
b. Graph API applications can be registered either at https://apps.dev.microsoft.com/ or by creating an application in your Azure Active Directory tenant (but not under the Azure AD B2C blade).
2) Graph API currently does not accept tokens issued by Azure AD B2C. This means you may need a separate micro-service that will authenticate with Microsoft Graph using the ClientId / ClientSecret of your Graph API Application Registration. The instructions in the documentation will have you configure “create, read and update permissions” for your Graph API app registration. (https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet)
We have chosen Azure AD for authenticating users for the Enterprise Web applications developed using MVC and hosted on Azure Cloud Platform.
We are trying to plan & develop a common portal for the users to which they can login using Azure AD login screen. This Portal will display the links to the cloud applications to which the user has access and they could access the cloud application from this portal.
Please let me know whether this is feasible since I have read in many places that the Azure AD token assigned to the user from Azure AD is valid only for one resource or registered application. Does that mean that when they try to login into another Cloud application registered to the same Azure AD from the portal, they will need to login again or re-use the Azure AD token for the portal in the browser session cookie for logging into the other applications?
It's true that your users authenticate against an application registered in Azure AD and that the issued token is only valid for that application.
However, the user establishes a session with the authorization server (Azure AD) and will not be prompted for credentials when redirected there to authenticate against another registered application.
So your portal page can just contain links to the URLs for the applications. Each application redirects the user to Azure AD for authentication and the user is only prompted for credentials for the first application he/she logs in to.