How do customers obtain access tokens and refresh tokens securely through providing their own credentials?

Question

Hi, currently I have Azure Functions in API Management service that require two variables to be passed:

1. Subscription key provided through API Management
2. Authorization Bearer JWT Token from B2C

Without both of these variables, the APIs won't execute. For reference, I followed this tutorial to integrate B2C's OAuth 2.0 user authorization with my Azure API Management developer portal.

Customers are required to use B2C to log into my API Management instance to pass the Authorization token to the APIs. However, the developer portal is just one area where users call their APIs, they should be able to call it through Postman, Data Factory, etc. If they were to call their APIs outside of the developer portal, they could very easily obtain their subscription key through logging into the developer portal and taking it from there.

How would outside users/customers obtain an access token? I was previously linked to this article, however it requires variables such as the client registration which makes me question the security of this method. I ultimately want users to obtain their own access token and provide their own credentials without my organization having to provide them with sensitive information, as security is of the utmost importance with my API management system.

Also, is it possible to obtain refresh tokens in the same manner? I want these same users to have refresh tokens for systems such as Data Factory.

Thank you for the assistance.

Answer 1

@hampton123 The documentation for setting up Azure AD or Azure AD B2C is primarily focused on single tenant scenarios where you are sharing your API with users from your tenant.

Typically, when you are sharing the API with a subscriber, they leverage the Subscription Key and/or Certificate since your API is in most cases being proxied via a custom backend on their end.

For the scenario that you are looking for, where your subscriber's user's also leverage Azure AD (B2C) to access your API (like how Microsoft Graph and other APIs do it), you will need to setup your app registration to be multi-tenant.

So, at a high-level, these are the steps you need:

1. Multi-Tenant App Registration in your tenant
2. Subscriber consents to your application to register Service Principal in their tenant
3. Subscriber registers their own app registration and includes delegated permissions to your API (Refer to this post)
4. End Users login to the subscriber's application and then calls your API (still proxied because of the subscription key)

In most cases, this is not what you want unless your API is meant to span across multiple subscriber applications with the user being the same. For example, how Microsoft Graph APIs can be used across any custom application to fetch user details like name, profile picture, etc. or how the Outlook API allows third-party applications to read your email or calendar.