Web API chains (On-Behalf-Of) in Azure AD B2C
Question
According to this documentation , the on-behalf-of flow is not supported in B2C:
Web API chains (On-Behalf-Of) is not supported by Azure AD B2C.
Many architectures include a web API that needs to call another downstream web API, both secured by Azure AD B2C. This scenario is common in native clients that have a web API back end, which in turn calls a Microsoft online service such as the Azure AD Graph API.
This chained web API scenario can be supported by using the OAuth 2.0 JWT Bearer Credential grant, otherwise known as the On-Behalf-Of flow. However, the On-Behalf-Of flow is not currently implemented in Azure AD B2C.
Can't I just pull out the JWT from the first Web API request and pass it along to the next Web API? I know technically, I can, but is there a reason I wouldn't want to?
This approach would only work if both Web API's are configured for the same B2C App. Maybe that is the difference. Is the documentation referring to 2 separate B2C apps maybe?
Reference: Access the JWT bearer token when using the JWT middleware in ASP.NET Core
1 answers
solution1
7 2017-12-28 01:42:57
The OAuth 2.0 On-Behalf-Of flow is related to a first resource, "https://resourceserver1", receiving an access token from a client; then exchanging this access token for another access token for access by the delegated identity to a second resource, "https://resourceserver2" without any user interaction; and then sending that access token to the second resource.
This Azure AD documentation explains the On-Behalf-Of flow.
Given this, two different applications are necessary for two different resources, which in turn can require two different scopes.
You can vote for this feature at B2C Support for on-behalf-of flow .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.