Custom Azure B2C sign up policy - client credential authorisation flow for business logic API

0
votes

I am currently following this user guide for adding a custom policy to my B2C sign up process

I have created the API and configured the various XML files. I can generate a token to access the API via the implict flow.

The API is secured under the app service with Azure Active Directory authentication.

The page linked to describes how to add basic authentication and a client ID / secret, which is a Client Credentials flow, so I was trying to test this in postman

However, having failed to get it to work I went looking and found a variety of posts stating implict credentials are not supported by Azure B2C?

If that is the case I'm puzzled how it is I'm supposed to ensure the claims of the API I am calling to carry out the business logic can be accessed by the custom policy?

My API is hosted on Azure in the same subscription. I can generate tokens for this API fine to use within my native / client app.

Please could someone advise how I should go about testing access to this API from a B2C context via Postman?

1
azure-active-directoryazure-ad-b2c

1 Answers

0
votes

The page linked to describes how to add basic authentication and a client ID / secret, which is a Client Credentials flow, so I was trying to test this in postman

To be exact, it should not be called Client Credentials, because it isn't it. It's just HTTP Basic authentication.

You are adding an alternative authentication method to your API in that case. The fact that B2C does not support client credentials auth does not matter here.

What matters is that you have enabled AAD authentication on App Service. This will block the calls that try to use Basic auth against your API.

Here are a couple options that you can do:

  1. Disable authentication on the App Service and implement the two alternative authentication methods in your API code
  2. Allow anonymous calls through from App Service auth and implement Basic auth for unauthenticated requests in your API code

As for testing from Postman, it should then be the same as testing any API supporting Basic authentication. You don't authenticate against B2C, so there is nothing special about it.