Our current system contains two web applications with OAuth2 centralized user management. Application A is an OAuth client and application B is the OAuth provider. And application A is for internal users and application B is for external users as well as internal users. To integrate with CIAM for external user onboarding, our system needs to call the user invitation API. That only can be done by application A due to some restriction. Is that doable as an external user will only have access to application B. To invoke CIAM APIs, the client needs to be registered with Azure application ID. That won’t be a problem if the same Azure app ID can be shared between two applications or the invitation could be for another application with a different Azure app ID.
-
Do you mean you are using the user invite API in Microsoft Graph API? For that the application does not matter as a user is invited to the tenant, not an app. – juunas Mar 31 '22 at 16:49
-
That needs to invoke CIAM APIs. To do so, we need to call Azure AD APIs first to obtain an authorization code and a bearer token with the authorization code. I do see that tenant is one of the required parameter to Azure AD authorization API. I don't know whether CIAM APIs are a part of MS Graph APIs or not. – vic Mar 31 '22 at 22:09
-
Do you mean Azure AD B2C when you say CIAM? – juunas Apr 01 '22 at 06:41
-
Inside our company, the CIAM tern is used. And it is told that the B2C is an old one and we use CIAM right now. I guess CIAM is a part of B2C. MS online document uses the term, but in a less frequence. – vic Apr 01 '22 at 17:51
1 Answers
• As you have said CIAM here, thus considering Azure AD B2C as the IdP and authorization provider, the application B that you have stated here which will act as an OAuth provider for application A thus resulting in it being a client and the other application being a provider. Thus, as a matter of fact, you cannot share tokens between the apps for inviting a user from one app to another app. Also, sharing the same application ID between two different applications registered in different tenants is also not possible.
• But you can acquire a token interactively on the second application, i.e., application B and once the silent call fails, then the interactive flow will rely on the Azure AD B2C session cookies to give the user Single sign-on. You can achieve the above said through configuring the Azure AD B2C session behaviour with regards to single sign-on on an application. This setting allows you to maintain a user session exclusively for an application, independent of other applications. For example, you can use this setting if you want the user to sign into Application B regardless of whether the user is already signed into Application A.
Thus, in this way, you can share a sign-in between two applications. For more information and details regarding this, kindly refer to the below documentation below: -
ADB2C How to share user token between two different applications?
- 4,550
- 2
- 4
- 9
-
Thanks very much for your input. The sad part is that my re-architecture isn't workable due to the Azure B2C requirement. – vic Apr 06 '22 at 02:11