0

We want to make our APIs available to external systems.

Our APIs are protected by "Access tokens" using OAUTH2 and Azure AD B2C as an Identity Provider.

Unfortunately, B2C does not support the "Client Credential Flow", so external systems cannot get tokens from B2C by passing their client id and their secret.

We are thinking of fronting the APIs with Azure API Management, and providing the external systems with Subscription Keys. Then once we verify the subscription key in API Management, we want to acquire an Access Token to call our back-end.

Is this possible? It seems like not because of the Client Credentials flow missing. However, I've seen videos from APIM experts claiming that it is possible. I'm I missing something? Does APIM have special treatment?

Alboz
  • 1,833
  • 20
  • 29
  • You can refer to [vHow to integrate Azure Active Directory B2C into Azure API Management Developer Portal](https://techcommunity.microsoft.com/t5/azure-paas-blog/how-to-integrate-azure-active-directory-b2c-into-azure-api/ba-p/2424805), [Secure an Azure API Management API with Azure AD B2C](https://learn.microsoft.com/en-us/azure/active-directory-b2c/secure-api-management?tabs=app-reg-ga) and [Azure API Management in consumption tier and Azure AD B2C](https://learn.microsoft.com/en-us/answers/questions/49286/azure-api-management-in-consumtion-tier-and-azure.html) – Ecstasy Dec 14 '21 at 04:48
  • @DeepDave-MT those links are about protecting the "Development Portal". I want APIM to acquire Access tokens in B2C on its behalf (Client Credentials Flow in OAUTH2). – Alboz Dec 15 '21 at 10:03
  • 1
    You can refer to [Protect SPA backend with OAuth 2.0, Azure Active Directory B2C and Azure API Management](https://learn.microsoft.com/en-us/azure/api-management/howto-protect-backend-frontend-azure-ad-b2c) and [Client Credentials Grant Flow with Azure AD B2C](https://www.hossambarakat.net/2020/08/14/azure-b2c-client-credentials/) – Ecstasy Dec 15 '21 at 10:33

0 Answers0