Restricting Access to Azure AD B2C API

Question

Restricting Access to Azure AD B2C API

hampton123 1,175

Hi, I have a web app where users sign in using B2C, and then they call my company's API. As it stands right now, anyone can make an account and log in to access our API. I want my company to be able to see their account, grant the user access, and then the user can call the API. Is there a way that we could restrict access to users, and only allow them to call the API if we authenticate them first?

Accepted answer

0 additional answers

Your answer

Answer 1

Daniel Krzyczkowski 491 MVP

Hi,

The solution you are looking for is not about authentication but authorization.

If I understood correctly, in your solution you have web application secured by the Azure AD B2C. Once the user is authenticated, B2C issues access token which can be used to access your API, correct?

In this case if you want to restrict the access to the Web API only to specific users, you will need to implement authorization mechanism.

You have basically two options here:

In the access token that is used with your Web API you will add additional claim, like "Role" or "UserType" and than on the Web API side you will validate whether the token has this claim or not. Basing on that you decide whether API returns data or return HTTP 403 status Forbidden.
You implement authorization on the Web API side fully. It means that you do a verification on the Web API side using user's object ID against authorization system/database to see if this specific user has permission to access your Web API's specific endpoint. It is more complex solution.

Here is the fragment of my video which describes both approaches:
https://youtu.be/sE6fnagYp1M?t=358

hampton123 1,175 Reputation points

2023-08-05T20:19:23.24+00:00

Daniel Krzyczkowski Thank you for clarifying the difference between authorization and authentication. The first approach you describe sounds like it will be the way to go, and I will use your video as a guide to help me implement this option, thanks again!

Another question, what if I also wanted to restrict outside access to the API itself? We wouldn't want random people accessing the SPA but we also want to make it public enough to where authenticated users could access the system. How would you go about doing that?
Daniel Krzyczkowski 491 Reputation points MVP

2023-08-08T04:50:00.9666667+00:00

When it comes to your next question. I am not sure if I understood correctly but let me answer.
When it comes to access to SPA application - if this is publicly available application the only way you can secure is the authentication with Azure AD B2C to authenticate the user identity.
If you want to add more restrictive mechanism, you could do the "check" with external API during the authentication process in the AD B2C to check if the user with specific email address should have access to your SPA application. If not, you could display information on the login page that user is not allowed to access the app. One more thing here, you mentioned that you want your company to grant the user access. In this case you could also disable "sign up" flow on the AD B2C side. With such approach user accounts would be created by the administrator and then using the invitation flow with password reset, users could set their passwords and authenticate successfully. No public registration page would be available so external, unknown users could not register themselves.

On the API side - as I mentioned before, you should use access token to secure access. Additionally you could implement authorization using solution like OpenFGA (my video).
Additionally you could restrict access to this API on the network level - it mean that you could allow access to the server where API is hosted only from the specific IP (IP of your SPA application).
Daniel Krzyczkowski 491 Reputation points MVP

2023-08-08T04:50:39.25+00:00

I would be also grateful for accepting my answer if you found it helpful. Thank you!
hampton123 1,175 Reputation points

2023-08-08T17:22:47.93+00:00

Hi Daniel Krzyczkowski, thank you for your response! I think I'll do your idea where you spoke about disabling the sign-up flow on the B2C side. I currently have a signin & signup flow, is it easy to replace this flow with just a simple sign-in flow? Also, how would I send users their login information once I create an account for them?

Thank you for your comments so far, they've been very helpful!
Daniel Krzyczkowski 491 Reputation points MVP

2023-08-09T05:39:24.2066667+00:00

If you use "user flows" directly from the portal, then you have to just create only sign in flow:

If you use "custom policies" here is the answer how you can easily disable the registration flow:

https://learn.microsoft.com/en-us/answers/questions/21687/how-to-build-signin-only-policy-in-b2c-custom-poli
hampton123 1,175 Reputation points

2023-08-09T17:32:33.3933333+00:00

Thank you for your responses Daniel Krzyczkowski! Currently I have the sign up and sign in user flow right now so I assume it would be easy to swap in the details from that previous user flow to the newly created sign in flow.

How would you provide users with their login information after you create an account? Just send them their email address and a generated password for them to use, and then they can reset their password?

Sorry if I'm asking too many questions, I'm new to this and I want to completely understand the concepts.
Daniel Krzyczkowski 491 Reputation points MVP

2023-08-10T11:56:20.13+00:00

No problem. In such case, once the user account is created using Microsoft Graph API (with random password value) you could sent the welcome email to the user with the link to the password reset flow. Then they can reset the password once they provide OTP code sent to their mailbox.
hampton123 1,175 Reputation points

2023-08-14T17:56:07.7166667+00:00

Hi Daniel Krzyczkowski, I want to thank you again for your responses, they've been very helpful! Could I also create the user through the Azure portal as well in my B2C directory? For example just go to Users in the B2C instance, then just Create Azure AD B2C User , or are there limitations to doing this?
Daniel Krzyczkowski 491 Reputation points MVP

2023-09-09T14:22:36.57+00:00

Hi @Hunter B

I apologize late reply, I did not get any notification, this is weird!
Yes, you can use Create Azure AD B2C User option to create user. You can also set the password or let Azure AD to generate one for the user. Then you can sign in with these credentials in the Azure AD B2C user flows/custom policies.
hampton123 1,175 Reputation points

2023-09-20T12:49:12.49+00:00

You're fine Daniel Krzyczkowski, thank you for all your help :)

Share via

Restricting Access to Azure AD B2C API

0 additional answers

Your answer