Calling Azure API Management from Azure AD B2C with client credentials
I was doing a PoC on this and thought it was worthwhile to write it up.
Note that B2C currently doesn’t support the client credentials flow but you can use the Azure AD section of your B2C tenant to do this.
I followed the API Management tutorials up to “Mock API responses” with an API called “Test call”.
This included using a product so that the API is protected by a subscription key.
I added an application to my B2C tenant via “App registrations” in the Azure AD section of the B2C tenant. This application has permissions to read and write Microsoft Graph profiles. I also configured a secret key.
In the “Inbound processing” section of the “Design” in API Management, I added a “validate-jwt” section.
This looks like:
<validate-jwt header-name=”Authorization” failed-validation-httpcode=”401" failed-validation-error-message=”Unauthorized. Access token is missing or invalid.”>
<openid-config url=”https://login.microsoftonline.com/my-b2c-tenant.onmicrosoft.com/.well-known/openid-configuration “ />
<claim name=”sub” match=”all”>
This uses the B2C well-known discovery endpoint and requires a “sub” of a particular value.
My Postman client looks like:
So I’m using “client credentials” to my B2C tenant.
I get the access token.
This look like:
Notice the “sub” matches the value in the “validate-jwt” section above.
I then use Postman to send an API call:
The access token from the first call is saved in an environment variable.
Note the “Ocp-Apim-Subscription-Key” header as the API is protected by a product.
And I get back the “sampleField” Mock data as per the tutorial.
Now let’s change the value of “sub” in the “validate-jwt” section.
Run the API again.
“message”: “Unauthorized. Access token is missing or invalid.”