I have two APIs: API A and API B. We also have client apps SPA A and SPA B which communicate with API A and API B respectively. I now want to configure communication between API A and API B.
API A is registered as an application in Azure AD B2C. Only authenticated users can access this API, and they therefore must have a JWT token to call this API. AD B2C is used for authentication here and is the provider for the JWT tokens.
API B is registered as an application in Azure AD. Again, we have authenticated users that can only access this API.
I want to provide application permissions to both APIs for one another so that they can communicate with one another.
I understand this in some ways is cross tenant communication, and one solution that was coming to my mind was having two app registrations for each app, one for each tenant. I need to have two app registrations respectively because API A and B both make manipulate their individual tenants using Graph API.
Having these two app registrations for each app whenever API A wants to communicate with API B it would make use of App registration registered in Azure AD. Whenever API A wants to communicate with graph API it'll make use of its App registration registered in Azure AD B2C. The same kinda thing will go for API B wanting to communicate with API A.
A few issues with the above idea that I had:
- AD B2C does not do service to service communication i.e., it will only allow delegated permissions. This means that for API B to communicate with API A it needs to have a logged in user. This is not possible in my scenario, alternatives here are welcome.
- API B (registered in Azure AD) makes use of Easy Auth (I don't think that is really a problem but just wanted to highlight it here) (and also it isn't called Easy Auth anymore- if anyone was wondering)
What is the best way I can approach the above-mentioned issue, so that I have least amount of friction whilst communicating from one API to another. Also the above sounds a to me to be a little too arduous and complicated for such a simple scenario, any other alternative methods to enable communication between my two APIs is welcome.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 83%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHZ%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)