Rory Braybrook
Jun 24 · 3 min read

I was doing a PoC on this and thought it was worthwhile to write it up.

Note that B2C currently doesn’t support the client credentials flow but you can use the Azure AD section of your B2C tenant to do this.

I followed the API Management tutorials up to “Mock API responses” with an API called “Test call”.

This included using a product so that the API is protected by a subscription key.

I added an application to my B2C tenant via “App registrations” in the Azure AD section of the B2C tenant. This application has permissions to read and write Microsoft Graph profiles. I also configured a secret key.

In the “Inbound processing” section of the “Design” in API Management, I added a “validate-jwt” section.

This looks like:

<inbound>

<validate-jwt header-name=”Authorization” failed-validation-httpcode=”401" failed-validation-error-message=”Unauthorized. Access token is missing or invalid.”>

<openid-config url=”https://login.microsoftonline.com/my-b2c-tenant.onmicrosoft.com/.well-known/openid-configuration “ />

<audiences>

<audience>https://graph.windows.net</audience>

</audiences>

<required-claims>

<claim name=”sub” match=”all”>

<value>fa3d…14ae</value>

</claim>

</required-claims>

</validate-jwt>

<base />

</inbound>

This uses the B2C well-known discovery endpoint and requires a “sub” of a particular value.

My Postman client looks like:

So I’m using “client credentials” to my B2C tenant.

I get the access token.

This look like:

Notice the “sub” matches the value in the “validate-jwt” section above.

I then use Postman to send an API call:

The access token from the first call is saved in an environment variable.

Note the “Ocp-Apim-Subscription-Key” header as the API is protected by a product.

And I get back the “sampleField” Mock data as per the tutorial.

Now let’s change the value of “sub” in the “validate-jwt” section.

Run the API again.

{
“statusCode”: 401,
“message”: “Unauthorized. Access token is missing or invalid.”
}

As expected!

All good!

The new control plane

“Identity is the new control plane”. Articles around Microsoft Identity, Auth0 and identityserver. Click the “Archive” link at the bottom for more posts.

Rory Braybrook

Written by

NZ Microsoft Identity dude. Microsoft MVP. Azure AD/B2C/ADFS. Plus Auth0/identityserver. N. Shore .NET UG Admin. Presentations: http://bit.ly/334ZPt5

The new control plane

“Identity is the new control plane”. Articles around Microsoft Identity, Auth0 and identityserver. Click the “Archive” link at the bottom for more posts.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade