I have a rest api which is being called by Azure AD B2C(through technical profile in Custom policy). I need to secure the api.But as it is being called by Azure BEFORE Authentication(basically it only needs to check if the email already exists in database or not in sign in flow), it doesn't have Authorize attribute. I have ClientCertificate AuthenticationType, configured in the custom policy for this REST API in the metadata of the technical profile, following this document https://docs.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api
So basically my metadata looks like this:
<Metadata>
<Item Key="ServiceUrl">https://your-account.azurewebsites.net/api/GetProfile?code=your-code</Item>
<Item Key="SendClaimsIn">Body</Item>
<Item Key="AuthenticationType">ClientCertificate</Item>
<Item Key="AllowInsecureAuthInProduction">false</Item>
</Metadata>
<CryptographicKeys>
<Key Id="ClientCertificate" StorageReferenceId="B2C_1A_RestApiClientCertificate" />
</CryptographicKeys>
But when I call the rest api from the browser, it is still accessible. I am not sure if I missed something, but isn't this process supposed to secure your api so only Azure can call it?
