I have two APIs: API A and API B. We also have client apps SPA A and SPA B which communicate with API A and API B respectively. I now want to configure communication between API A and API B.
API A is registered as an application in Azure AD B2C. Only authenticated users can access this API, and they therefore must have a JWT token to call this API. AD B2C is used for authentication here and is the provider for the JWT tokens.
API B is registered as an application in Azure AD. Again, we have authenticated users that can only access this API.
I want to provide application permissions to both APIs for one another so that they can communicate with one another.
I understand this in some ways is cross tenant communication, and one solution that was coming to my mind was having two app registrations for each app, one for each tenant. I need to have two app registrations respectively because API A and B both make manipulate their individual tenants using Graph API.
Having these two app registrations for each app whenever API A wants to communicate with API B it would make use of App registration registered in Azure AD. Whenever API A wants to communicate with graph API it'll make use of its App registration registered in Azure AD B2C. The same kinda thing will go for API B wanting to communicate with API A.
A few issues with the above idea that I had:
- AD B2C does not do service to service communication i.e., it will only allow delegated permissions. This means that for API B to communicate with API A it needs to have a logged in user. This is not possible in my scenario, alternatives here are welcome.
- API B (registered in Azure AD) makes use of Easy Auth (I don't think that is really a problem but just wanted to highlight it here) (and also it isn't called Easy Auth anymore- if anyone was wondering)
What is the best way I can approach the above-mentioned issue, so that I have least amount of friction whilst communicating from one API to another. Also the above sounds a to me to be a little too arduous and complicated for such a simple scenario, any other alternative methods to enable communication between my two APIs is welcome.