![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 5%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,905 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 93%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBG%3C/text%3E%3C/svg%3E)
Hi Thanks for the question
Ordinarily you would login the user in the front end using OIDC and either at this point or later acquire an Access token for the backend API - this token would be in the user context.
If the API you call then itself needs to get an access token , but also based on the user context, you'd use an OBO (on behalf of flow)
Unfortunately OBO isnt supported by B2C REF https://learn.microsoft.com/en-us/azure/active-directory-b2c/access-tokens
But, equally you should definitely not pass a user credential over the wire to the API to use - the user should only ever present their credential to the IDP (the sign in and sign up flows in B2C redirect the user from the app to B2C, the app should not and does not ever see the user credential)
What you could do is have the backend App request a token from B2C using its own identity (client credentials flow) - this was not previously possible with B2C but is now in preview
https://learn.microsoft.com/en-us/azure/active-directory-b2c/client-credentials-grant-flow?pivots=b2c-custom-policy