AAD B2C Custom Policies: Read HTTP x-api-key headers on REST API

Question

AAD B2C Custom Policies: Read HTTP x-api-key headers on REST API

Mikhail Delly 126

Hi.

For securing requests from b2c policies to AF the "Secure code approach" is used.

(https://{AF endpoint}?code={secure code})

In this case AF has open API but could not be accessed without knowing this code.

I am trying to find similar approach for REST API:

<TechnicalProfile Id="REST-API">
<DisplayName>REST-API</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl">Url</Item>
<Item Key="SendClaimsIn">Body</Item>
<Item Key="AuthenticationType">ApiKeyHeader</Item>
</Metadata>
<CryptographicKeys>
<Key Id="x-functions-key" StorageReferenceId="B2C_1A_RestApiKey" /> (or x-api-key header)
</CryptographicKeys>

Is it possible to:

Get x-functions-key or x-api-key from headers on Back-End side and get the code configured in Policy Keys using smth like:

if (!Request.Headers.TryGetValue("x-functions-key", out var extractedApiKey))
{
...
}

Sending custom claims in body but B2C_1A_RestApiKey in header?
If it doesn't work is this any working approach to send custom code from policy and read it on the Back-End side?

Thanks.

Shweta Mathur 30,431 Reputation points Microsoft Employee Moderator

2022-12-28T06:51:48.863+00:00

Hi @Mikhail Delly ,

Thanks for reaching out.

i understand you are looking to read HTTP header from REST API into B2C policy keys directly (which is not possible), but you are not able to find how to read header value from REST API to B2C or how to map the header.

Could you please confirm, is my understanding correct?

Thanks,
Shweta
Mikhail Delly 126 Reputation points

2022-12-28T08:40:24.63+00:00

I would like to know if is this a possibility to save code generated on azure b2c policy side (for example in policy keys) and put it into the rest api call to server. And read the code on the server-side.
The approach looks like Azure Function calls (https://{AF endpoint}?code={secure code}). Where the security code is hardcoded on the policy side.

I understand that is could be a possibility to put some code in url but i'm looking for more reliable alternative (like HTTP headers)

1 answer

Your answer

Shweta Mathur 30,431 Reputation points Microsoft Employee Moderator

2022-12-28T06:51:48.863+00:00

Hi @Mikhail Delly ,

Thanks for reaching out.

i understand you are looking to read HTTP header from REST API into B2C policy keys directly (which is not possible), but you are not able to find how to read header value from REST API to B2C or how to map the header.

Could you please confirm, is my understanding correct?

Thanks,
Shweta
Mikhail Delly 126 Reputation points

2022-12-28T08:40:24.63+00:00

I would like to know if is this a possibility to save code generated on azure b2c policy side (for example in policy keys) and put it into the rest api call to server. And read the code on the server-side.
The approach looks like Azure Function calls (https://{AF endpoint}?code={secure code}). Where the security code is hardcoded on the policy side.

I understand that is could be a possibility to put some code in url but i'm looking for more reliable alternative (like HTTP headers)

Answer 1

Shweta Mathur 30,431 Microsoft Employee Moderator

Hi @Mikhail Delly ,

Apologies for delay in response.

Unfortunately, it is not possible to pass the code in policy keys or in the URL to read HTTP headers directly.

I would suggest you post this idea at the Azure Feedback Portal, which is monitored by the product team for feature enhancements. Thank you for your time and patience throughout this issue.

Thanks, Shweta

Please remember to "Accept Answer" if answer helped you.

Share via

AAD B2C Custom Policies: Read HTTP x-api-key headers on REST API

1 answer

Your answer