Share via

Restrict API Clients to Azure B2C only

juni dev 336 Reputation points
2024-04-15T23:42:10.8466667+00:00

I have 2 APIs, in Azure AppService.
One of them is behind Azure APIM

Those API offer a helper services used by Azure AD B2C custom policies.

Currently the APIs are protected by a subscription key only.

I need to ensure that specific operations of those the APIs can be consumed only by B2C and not by whoever has the subscription key.

Can this be achieved via servie tags or so?

Note: at the time the B2C needs to consume the APIs, the user is not yet authenticated I can´t use JWT tokens for validation.

Help is really aprreciated.
Many thanks,
JD

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,792 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,987 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. brtrach-MSFT 15,351 Reputation points Microsoft Employee
    2024-05-11T04:37:33.95+00:00

    @juni dev To restrict access to your APIs to only Azure AD B2C clients, you can use Azure AD B2C as the authentication mechanism for your APIs. You can configure your APIs to accept only requests that include a valid Azure AD B2C-issued access token.

    Here are the high-level steps to achieve this:

    1. Register your APIs in Azure AD B2C as applications.
    2. Configure your APIs to accept only requests that include a valid Azure AD B2C-issued access token.
    3. Configure your Azure AD B2C custom policies to obtain an access token for your APIs.

    You mentioned that at the time the B2C needs to consume the APIs, the user is not yet authenticated. In this case, you can use the client credentials flow to obtain an access token for your APIs.

    Here is an example of how to use the client credentials flow to obtain an access token for your APIs:

    1. Register your APIs in Azure AD B2C as applications.
    2. In the Azure portal, go to your Azure AD B2C tenant and select "App registrations".
    3. Select "New registration" and register your APIs as applications.
    4. In the API Management portal, go to your API and select "Settings".
    5. Under "Security", select "OAuth 2.0".
    6. Select "Add" and configure your APIs to accept only requests that include a valid Azure AD B2C-issued access token.
    7. In your Azure AD B2C custom policies, use the client credentials flow to obtain an access token for your APIs.To restrict access to your APIs to only Azure AD B2C clients, you can use Azure AD B2C as the authentication mechanism for your APIs. You can configure your APIs to accept only requests that include a valid Azure AD B2C-issued access token. Here are the high-level steps to achieve this:
      1. Register your APIs in Azure AD B2C as applications.
        1. Configure your APIs to accept only requests that include a valid Azure AD B2C-issued access token.
          1. Configure your Azure AD B2C custom policies to obtain an access token for your APIs.
      You mentioned that at the time the B2C needs to consume the APIs, the user is not yet authenticated. In this case, you can use the client credentials flow to obtain an access token for your APIs. Here is an example of how to use the client credentials flow to obtain an access token for your APIs:
      1. Register your APIs in Azure AD B2C as applications.
      2. In the Azure portal, go to your Azure AD B2C tenant and select "App registrations".
      3. Select "New registration" and register your APIs as applications.
      4. In the API Management portal, go to your API and select "Settings".
      5. Under "Security", select "OAuth 2.0".
      6. Select "Add" and configure your APIs to accept only requests that include a valid Azure AD B2C-issued access token.
      7. In your Azure AD B2C custom policies, use the client credentials flow to obtain an access token for your APIs.
    0 comments