Azure B2C Apimanagement multitenant jwt validation

1
votes

Is there a /common endpoint in azure B2C that can be used to validate tokens issued by multiple Azure B2C tenants ,as in normal azure AD : (https://login.microsoftonline.com/common/.well-known/openid-configuration) ?

Example of jwt token validation for normal azure AD :

<validate-jwt header-name="authorization" failed-validation-httpcode="401" failed-validation-error-message="GWT FAIL" output-token-variable-name="jwt">
            <openid-config url="https://login.microsoftonline.com/common/.well-known/openid-configuration" />
        </validate-jwt>

Regards

2
azure-ad-b2cazure-api-management

2 Answers

1
votes

No, there is not. Each tenant is their own identity provider and there is no "multiplexer" as in regular AAD.

0
votes

In B2C, if you configure technical profile to return access_token from azure ad, then you can use issuer claim iss present inside the access_token to find the issuer and use it for jwt validation. This sample shows how to return access token.

For example, the technical profile below returns an access_token <OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}" /> with a claim iss with value "https://sts.windows.net/12340-123120-112112323/" which can be used to validate the token.

<TechnicalProfiles>
        <TechnicalProfile Id="AzureADProfile_issueAADtoken">
          <DisplayName>AzureAD User</DisplayName>
          <Description>AzureAD Account</Description>
          <Protocol Name="OAuth2" />
          <OutputTokenFormat>JWT</OutputTokenFormat>
          <Metadata>
            <Item Key="AccessTokenEndpoint">https://login.microsoftonline.com/common/oauth2/v2.0/token</Item>
            <Item Key="authorization_endpoint">https://login.microsoftonline.com/common/oauth2/v2.0/authorize</Item>
            <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
          
            <Item Key="DiscoverMetadataByTokenIssuer">true</Item>
            <Item Key="HttpBinding">POST</Item>
            <Item Key="response_types">code</Item>
            <Item Key="scope">openid</Item>
            <Item Key="UsePolicyInRedirectUri">false</Item>
            <Item Key="ValidTokenIssuerPrefixes">https://sts.windows.net/</Item>

          </Metadata>
          <CryptographicKeys>

            <Key Id="client_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
          </CryptographicKeys>
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
            <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="displayName" />
            
            <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
            <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="givenName" />
            <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="surname" />
            <OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="userPrincipalName" />
            <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="id" />
            <OutputClaim ClaimTypeReferenceId="identityProviderAccessToken" PartnerClaimType="{oauth2:access_token}" />
          </OutputClaims>

            <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
          </OutputClaimsTransformations>
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
        </TechnicalProfile>
      </TechnicalProfiles>