Azure ADB2C access without a user

Question

I am using an Azure ADB2C tenant to sign-up/in users with custom policies and rest api claims exchanges. This works fine.

Now I would like to start a service (daemon) that runs in a cloud environment for each user that signs-up with my service. This background service will access resources on other servers. Accessing these resources require a token and the service should only have access to the resources that the user has (i.e.: the access token used by the background service should also include the custom REST API claims). For the common users, this is taken care of by my REST API claims server, which enriches the token in such a way that it gives users' access only to the allowed resources.

I have found this page describing how to get access without a user. But this page assumes that the background service is a single instance that has access to all users' data that it needs. My background service is a 1-to-1 mapping to the signed up user.

Ideally this is how I see it working:

A new user signs up.
My REST API claims exchange gets called for this user.
Call Azure ADB2C to create a token for the background service. (Token should also contain my custom claims)
Start a new instance of the background service using the token created at step 3.
Return the custom claims for the new user.

This will happen for every new user, so every user in my system will have a corresponding background service running in the cloud.

Is this possible with Azure ADB2C? If yes, how?

Do you want to call ms graph api or your custom api? – Carl Zhao Apr 25 '21 at 11:24 — Carl Zhao, Apr 25 '21 at 11:24
@CarlZhao My custom API. – Copil tembel Apr 25 '21 at 15:29 — Copil tembel, Apr 25 '21 at 15:29

score 0 · Answer 1 · answered Apr 26 '21 at 02:38

0

The link you provide to get access without a user is only suitable for calling ms graph api and not for calling custom api.

If you are calling ms graph api, then you can indeed use the daemon-based client credential flow to obtain an access token (that is, without user involvement). This flow is usually used in Azure AD, but if it is used to call ms graph api, then it is also applicable to Azure AD B2C.

But if you are calling a custom api, then you must use a user login flow. Azure AD B2C obtains tokens in a different way from Azure AD. To use Azure AD B2C, you must first create a policy to enable users to sign up and sign in to your application.

answered Apr 26 '21 at 02:38

Carl Zhao

8,543
2
11
19

Yes, I did create a policy to enable users to sign up and sign in to my application, and this is working fine. If I could use the same flow to sign-in background services, the token generated would contain the necessary data for me to call my custom application. – Copil tembel Apr 26 '21 at 06:14
@Copiltembel Do you mean to bypass user login? – Carl Zhao Apr 26 '21 at 06:25
@Copiltembel see:https://learn.microsoft.com/en-us/azure/active-directory-b2c/application-types#current-limitations – Carl Zhao Apr 26 '21 at 06:28

Azure ADB2C access without a user

1 Answers1