I have a WebAPI (A) hosted on Azure protected by Azure B2C (B) which is being called by a mobile app (C) - this is all working correctly.
I now want to allow third parties to access my API via API Management on the same platform but I am getting extremely confused with authentication and "audiences".
The API Management developer portal has been configured as per the Azure documentation so that when the developer makes test calls on the portal it prompts for authentication using the B2C domain (B). To do this it uses an application registered against the B2C domain.
However when I want to implement the API from a third party system (D) I need to allow the system to impersonate a user when calling my API (A) so that operations happen in the context of an authenticated user on the domain (B).
I know B2C does not yet support "On Behalf Of" as a valid flow so I use hellojs to obtain an access token on the client which I pass to the third party system API via a custom head which it then appends as an Authorization header to it's call to the API.
The API Management product expects a "subscription key" to identify the products the third party implementation can use.
Does this mean with regards to the authentication part that every third party system using my API would use the same oAuth "audience" id and therefore the same Active Directory app?
It makes more sense to me that each third party implementation would have a different app on Azure Ad but that would mean my Web API would need to recognise a huge number of audience ids and redirect uris?
Finally, how do i "hide" the Web API endpoints from public use - surely use of the audience id would allow people to circumvent the API Management product?
Apologies if I have mixed any terminology up.
