how to handle the scenario web api 1 calling web api 2 while azure b2c doesn't support "on behalf of"

Question

Since B2C on behalf of is not supported, what are the options of passing in a secure way using the azure infrastructure the identity of a user downstream?

After Web app --> Web Api 1, B2C cannot generate (to my knowledge) token with user claim to be used in Web Api 2

Also, when it reach that point, no interaction with the client is possible so token should be acquired silently or used as-is, if the token was expired, proper error handling should be triggered and the user would have to retry with a new token

I can think of a few way;

1. Generating all token in the client and passing them down;

   • not a good idea since the client should not be aware of what is going on downstream

2. Passing the refresh token downstream so API can generate tokens;

   • the refresh token is very sensitive so should be handled with extreme care

3. Stopping using azure b2c past the Web Api 1;

   • handling everything outside of B2C, not ideal since from that point on it fall into "custom code"

at the end of the day goal is to transfers claims downstream to have the identity of the user and making sure it was not tampered with

Answer 1

I tried to reproduce the same in my environment and got the results like below:

Note that: On-behalf-of flow is not supported in Azure AD B2C which means, it cannot be used with B2C user flows. But it can be used with standard Azure AD functionality of B2C tenant.

I created two Web APIs and granted API permissions in Client Application like below:

Now, I generated authorization code by using below endpoint:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
&client_id=ClientAppID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://stackb2ctenant.onmicrosoft.com/xxx/api1scope
&state=12345

I generated access token using authorization code flow:

https://login.microsoftonline.com/common/oauth2/v2.0/token

client_id:ClientAppID
grant_type:authorization_code
scope:https://stackb2ctenant.onmicrosoft.com/xxx/api1scope
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret

By using the above access token, I generated access token using On-Behalf-Of Flow by using scope of web api2:

https://login.microsoftonline.com/common/oauth2/v2.0/token

client_id:ServerAppID(WebApi1)
client_secret:ClientSecret
scope:https://stackb2ctenant.onmicrosoft.com/xxx/api2scope
grant_type:urn:ietf:params:oauth:grant-type:jwt-bearer
assertion:aboveaccesstoken
requested_token_use:on_behalf_of

When I decoded the token, it has api2scope like below:

When I tried to use Azure AD B2C User Flows, I got the error like below:

https://stackb2ctenant.b2clogin.com/stackb2ctenant.onmicrosoft.com/<policy-name>/oauth2/v2.0/token