Hi @Piotr Buda , here's a high-level overview of how you can acheive this. Please let me know if I misunderstood your ask or if you have any questions.
- Register the WebApi app on the Entra Id tenant and grant permissions to the app registrations of both WebApp 1 and WebApp 2. This will allow both apps to call the WebApi.
- Register WebApp 1 on the Entra Id tenant and configure it to use Entra Id authentication.
- Register WebApp 2 on the B2C tenant and configure it to use B2C authentication.
- Configure the Entra Id tenant to trust the B2C tenant by adding it as an external identity provider. This will allow B2C users to authenticate with Entra Id tenant.
- In your WebApp 2, use the OAuth 2.0 client credentials grant flow to authenticate with the WebApi on Entra Id tenant. This flow allows your app to use its own credentials to authenticate when calling the WebApi, instead of impersonating a user.
- In your WebApp 1, use the OAuth 2.0 authorization code flow to authenticate with the WebApi on Entra Id tenant. This flow allows your app to obtain an access token on behalf of the user and use it to call the WebApi.
Please let me know if you have any questions and I can help you further.
If this answer helps you please mark "Accept Answer" so other users can reference it.
Thank you,
James