Scribd
Upload
4 views

Protect web API with Ad b2c authorization

Azure AD B2C enables the protection of web APIs through OpenID Connect for identification and OAuth for authorization, using JWT access tokens. To secure an API, you must register both the API app and the client app, configure API permissions, and implement scope-based access control. Role-based access control is limited in Azure AD B2C, requiring admin consent for delegated permissions to allow client apps to access APIs on behalf of users.

Uploaded by

leonelgomez
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
4 views

Protect web API with Ad b2c authorization

Azure AD B2C enables the protection of web APIs through OpenID Connect for identification and OAuth for authorization, using JWT access tokens. To secure an API, you must register both the API app and the client app, configure API permissions, and implement scope-based access control. Role-based access control is limited in Azure AD B2C, requiring admin consent for delegated permissions to allow client apps to access APIs on behalf of users.

Uploaded by

leonelgomez
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

Protect web API with Ad b2c authorization

Azure ad b2c supports OIDC for identification and Oauth for authentication. Once a user is signed in to
your app, the app then requests an access token from Ad b2c. the access token is a JWT signed by AD
b2c and is valid for certain period of time. It contains required to access the API. Client App uses this
token as bearer authorization when calling your protected API. The API configured to be protected
with AD b2c, ensures validity and integrity of the token and that it contains requiered permission to
access that API and then allows the API to be executed.

In order to get this working, we first need to set up the ad b2c tenant with the app registration,
configure API permission for the app registration and then configure the client and API app code to
consume this configuration. Sample code for both client and API app are provided in this post.

Configure azure ad b2c

We need 2 registration in ad b2c


1. API app
2. The frontend react js

Client app configure it to allow access to API.

1. create API registration in AD B2C


2. expose API using API scopes.
Using these scopes you can protect your API such that any call to the actual API must have a valid
token which includes the required scopes. AD B2C issues the token which can include the required
scopes.

In order to configure the scopes, first create a URI for your API app. This URI is only a unique
indentification for you API app with AD b2c. It is not related to the actual URI or URL of your API app
runing somewhere in the cloud or you local system.

SCOPE BASED ACCESS CONTROL


You can protect your API by authorizing access with tokens containing one or more specified scopes.
This also enables you to protect different APIs with different scopes. You can create different client
app registration and configure them to allow permission to access only a subset of your APIs. This
way, you can implement scope based access control/
As an example, you may have a user facing app accessing API serving only the user related data
andyou can have an admin app allowed to access privileged data about the users.

Role based access control


While you can have different API permissions for different client app, it is not directly feasible in
adb2c to do the sme for different users. Imagine you have different users in your tenant and you
would want to have some users access only the read APIs while some privileged users to access the
write APIs. This role based access control isn’t possible out of the box with AD b2c.

As mentioned earlier, scope is essentially a permission to access the APIs. This permission is granted
to the client app. When the client app accesses an API, it can do so on behalf of the user.
This called delegated authorization. Effectively, the client app is acting as the user. In other
words user delegates permission to the client app to access API on their behalf.

Users or admins of the tenant need to provide their consent for a client app to access the API
resources on their behalf. The admin consent display name and admin consent description
are used to display information to the admisn so they can grant access tenant wide on
behalf of all users.
ADD API PERMISSIONS FOR CLIENT APP
The permission that we are adding for our app to access backend api is called as a delegated
permission. The app uses this permission to access backend APIs on behalf of the user
which neans that the user effectively delegates the permission to access the resource to
the app. For delegated permissions like this, we need to provide admin consent before the
app can use that permission.

How protect web api with azure AD B2C authorization

- Protecting your APIs from unauthorized access is important. Azure ad b2c helps you to validate the
user or app accessing the API and allows access to the API only with authorized token
obtained from AD b2c.

Steps:
1. Setting up a tenant in azure ad b2c ( manage consumer identity)
2. Create user flows in azure ad b2c
3. Use Azure ad b2c in react spab2c

….
………………………………………………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………………………………………………
……………………………

Azure b2c supports openid connect for identification and OAuth for authorization.
Once a user is signed in to your app, the app then request an access token form Azure ad b2c. the
access token is a json web token(jwt) signed by ad b2c and is valid for a certain period of time. It
contains required scopes and other claims or attributes. Scopes are akin(relacionado,类似的) to
permissions requiered to access the API. Client app uses this token as Bearer authorization when
calling your protected API. The API configured to be protected with AD b2c, ensures validity and
integrity of the token and that it contains required permissions to access that API and then allows the
API to be executed.

You might also like