B2C Tokens for Customer Data Extraction

Question

I'm currently working on integrating Azure AD B2C and Azure API Management for my APIs. The APIs require an access token from B2C and a subscription key from APIM to run. I have specific questions related to B2C token acquisition and refresh, particularly in the context of data extraction using tools like Azure Data Factory.

1. Token Acquisition:
   • How can customers obtain a B2C token by providing their B2C credentials securely?
     • Are there any considerations specific to token acquisition for scenarios involving data extraction, such as with Azure Data Factory?
2. Token Refresh for Data Extraction:
   • In scenarios where users need to extract data continuously (e.g., using Azure Data Factory), what are the best practices for automatically refreshing B2C tokens?
     • Any insights on integrating token refresh mechanisms for continuous and uninterrupted data extraction processes?

Answer 1

Hello hampton123

Please look at the following steps to help you:

Token Acquisition: Customers can obtain a B2C token securely by following the steps outlined in the Azure Active Directory B2C documentation. The process involves creating a user flow to enable users to sign up and sign in to your application, and adding a web API application to your Azure AD B2C tenant. The HTTP request must include an access token, which is denoted as access_token in the responses from Azure AD B2C.

For scenarios involving data extraction with Azure Data Factory, you can use the Managed Identity Authentication, which eliminates the necessity of generating the Access token. You will have to grab the identity of the system assigned ADF or create a user assigned identity, and add this identity to the resource that you are accessing.

Token Refresh for Data Extraction: Refresh tokens are used to acquire new ID tokens and access tokens in an OAuth 2.0 flow. They provide your application with long-term access to resources on behalf of users without requiring interaction with those users. Your application shouldn’t be written with the expectation that a refresh token will last for a specific period of time. The only way for your application to know if a refresh token is valid is to attempt to redeem it by making a token request to Azure AD B2C.

For continuous and uninterrupted data extraction processes, you can implement a mechanism to refresh the token automatically. One common practice is to use a refresh token to create a new set of access and refresh tokens after the access token expires, without asking users to re-enter their credentials. This approach improves security while maintaining a positive user experience.

Remember to follow the best practices and recommendations provided by Azure AD B2C for integrating it into your application environments. Also, ensure to strike the right balance between application usability and your organization’s acceptable level of risk.

Answer 2

Hello again.

Please follow this for your use-case.

Azure API Management B2C

Azure API Management can be secured using Azure Active Directory B2C (Azure AD B2C). Azure AD B2C is a customer identity access management (CIAM) solution capable of supporting millions of users and billions of authentications per day.

To secure an Azure API Management API with Azure AD B2C, you need to follow these steps

1. Make sure you have an Azure AD B2C tenant, an application registered in your tenant, user flows created in your tenant, and a published API in Azure API Management.
2. Record the application ID of an application you’ve previously created in your Azure AD B2C tenant.
3. Get the well-known config URL for one of your Azure AD B2C user flows and the token issuer endpoint URI.
4. Create and test an inbound policy in Azure API Management that restricts access to only those requests that include a valid Azure AD B2C-issued access token.

You can also manage access to your API Management developer portal using Azure AD B2C. This involves configuring the sign up and sign in user flow and configuring the identity provider for the developer portal.

Please note that Azure API Management supports out of the box integration with Azure AD B2C. However, the availability of this feature may depend on the tier of API Management you are using.

Please mark this answer as accepted, if / when solves your query. This helps the other readers in the communities also.

Thank you.

Answer 3

Hello again, hampton123

To answer your question here on your last comment:

To acquire tokens from Azure API Management, customers would need to follow these steps

1. Register an application with Microsoft Azure AD: This involves creating an application in the Azure portal and noting down the Directory (tenant) ID and the Application (client) ID.
2. Get authorization: This is the first step to getting an access token. The client directs the user to the /authorize endpoint. Microsoft Azure AD signs the user in and requests their consent for the permissions your app requests.
3. Acquire the access token: This is done through a specific OAuth2 grant flow, such as the client credentials flow. The access token is then used to access the protected resources.

As for the sensitivity of the information, the Application (client) ID and Directory (tenant) ID are not considered sensitive. However, any client secrets, passwords, or tokens should be handled securely as they can provide access to your resources.

Regarding refresh tokens, they are used to obtain new access and refresh token pairs when the current access token expires. The process of obtaining a refresh token is similar to the process of acquiring an access token, but it involves an additional step where the refresh token is used to get a new access token. This can be done automatically in Azure API Management.

Please note that these processes should be handled securely to protect your resources and the user’s data. It’s also important to note that the exact steps may vary depending on the specific requirements and configurations of your Azure environment. Always refer to the official Azure documentation or consult with an Azure expert when in doubt.

Also please look at the steps for Azure API Management Azure AD authentications, here:

1. Register an application in Azure AD: This will represent the client application.
2. Create a managed identity for your application: This is a service principal of a special type that you can use to authenticate, or be authenticated by, Azure services.
3. Associate the Managed Identity to the Application Role: This will allow the application to access resource.
4. Enable user sign-in using Microsoft Entra ID: You can do this automatically or manually in the Azure portal. This will allow users of the developer portal to sign in.
5. Configure your application to trigger HTTP Action to invoke the API: This will allow your application to interact with the API.
6. Obtain an access token: This can be done through a specific OAuth2 grant flow, such as the client credentials flow. The access token is then used to access the protected resources.
7. Use the access token to make requests to the API: Include the access token in the Authorization header of the HTTP request.
8. Handle token expiry: Implement logic in your application to handle token expiry. This could involve using a refresh token to get a new access token.

I do hope all the information provided now helps you for your journey to secure API management. Please consider and tag this as answered question, so it may help other readers in the community seeking similar questions.