This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 91%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBW%3C/text%3E%3C/svg%3E)
I am building a Custom Azure AD B2C policy for login and during the User Journey I need to call a REST API that is protected by both a Bearer Token and an API key in the header. The documentation indicates you have to pick one or the other. Is there anyway to send both? Here is my TechnicalProfile:
<TechnicalProfile Id="getAppConsent">
<DisplayName>Call Internal API to determine if this user is authorized for the given app</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="ServiceUrl"><my_url></Item>
<Item Key="AuthenticationType">ApiKeyHeader</Item>
<Item Key="UseClaimAsBearerToken">IdPToken</Item>
<Item Key="SendClaimsIn">QueryString</Item>
<Item Key="AllowInsecureInProduction">true</Item>
<Item Key="DefaultUserMessageIfRequestFailed">Cannot process your request, please try again later.</Item>
</Metadata>
<CryptographicKeys>
<Key Id="API-Key" StorageReferenceId="B2C_1A_APIKey" />
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="IdPToken"/>
<InputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tenantid" />
<InputClaim ClaimTypeReferenceId="appId" DefaultValue="{OIDC:ClientId}" AlwaysUseDefaultValue="true" />
<InputClaim ClaimTypeReferenceId="userId" PartnerClaimType="username" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="appName" />
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
Thank you for your assistance,
Brian Weldon
Hi @Brian Weldon • Unfortunately, this is not possible. You cannot use ApiKeyHeader with any other authentication methods - Basic, Bearer, or ClientCertificate.
Thank you for your response @AmanpreetSingh-MSFT . I assume that it is also not possible to set the AuthenticationType to Bearer and add another custom header? I did not see any mention of this in the documentation.
@Brian Weldon • Right, you cannot add multiple AuthenticationType keys to specify different headers. This will result in the error: An item with the same key has already been added. during the upload of the policy file.
Thank you @AmanpreetSingh-MSFT I appreciate your time helping me. My question more generically is can I send multiple custom headers and a query string to a REST API from an Azure B2C custom policy?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 26%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
How can we request this as a feature? I do feel having multiple headers is a valid case.