Share via

Azure B2C Custom Policy Calling Web API in Main Tenant

Kyle Infante 0 Reputation points
2024-10-17T16:31:32.4666667+00:00

Description:

I am having trouble trying to configure an HTTP Request from my B2C Custom Policy that will perform a person-lookup against user input. The trickier part is that the B2C Custom Policy will need to perform the HTTP request on our company's main tenant because the app is a proxy app that calls our main private API through VPN Gateway. The VPN Gateway is only configured in our main tenant. I have spent the week trying different methods of approach with no luck. Due to my limited knowledge of Azure, it makes it even more difficult for me.

If I am understanding this correctly, I need to have my Custom Policy call a B2C Tenant's app registration to retrieve an access token. Then utilize that access token to call an App Registration that is in my main tenant where the Web API is running as an App Service? So my main app registration needs to grant permissions for my B2C app registration to make requests?

Current Structure

  • B2C Tenant
    • SIGNUP Custom Policy
    • 'ClientApp' App Registration (get access token)
  • Main Tenant
    • Web API App Registration (use access token)
    • Web API AppService

Both app registrations are set for Multi-tenant because these are cross tenant interactions but other than that, I am not sure about the configurations or how the flow should really be going.

I would greatly appreciate your assistance in resolving this issue. If you could provide any insights into why I might be encountering this internal error and what steps I can take to successfully obtain an access token, it would be immensely helpful.

Thank you for your support.

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akhilesh Vallamkonda 15,355 Reputation points Moderator
    2024-11-08T13:36:33.45+00:00

    Hi @Kyle Infante

    Thank you for reaching Microsoft Q&A Forum!

    To call a web API in a custom policy, you need to define a RESTful technical profile that specifies the endpoint of the web API and the HTTP method to use. You can then reference this technical profile in your user journey to make the call to the web API.

    Here's an example of how to define a RESTful technical profile in your custom policy:

    <TechnicalProfile Id="MyWebApi">
  <DisplayName>My Web API</DisplayName>
  <Protocol Name="REST" />
  <OutputFormat>json</OutputFormat>
  <Metadata>
    <Item Key="ServiceUrl">https://mywebapi.com/api/endpoint</Item>
    <Item Key="AuthenticationType">Bearer</Item>
    <Item Key="SendClaimsIn">Body</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="BearerToken" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
  </CryptographicKeys>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="myOutputClaim" />
  </OutputClaims>
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>

    Thanks,

    Akhilesh.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.