I have an Api in Azure that 3rd parties should integrate with. Each client app (app registration) represents a company and should only access that company's data, the same way a user would only access it's company's data. My problem is that there's no user present when getting the access token through client credentials.
My initial idea was to look at the "oid", "sub" or "azp" claim and map that to a "service account" kind of user with access to a specific company. But when I need to access downstream Api's, those claims are lost.
I tried using the on-behalf-of flow, using the GetForAppAsync method in the Microsoft.Identity.Abstractions namespace, hoping that something would pass through pointing to the original caller but I've not found anything yet.
I'm thinking that I might approach this the wrong way, since no information I've found so far points to this being a common solution.
This comment on a feature request seams to be exactly what I need but the feature request is closed and there's another comment saying it's not available to 3rd parties. https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/2130#issuecomment-719094803
This issue is also also the same but was solved by creating a dummy user and getting a token with ROPC, which is not recommended by Microsoft. https://github.com/MicrosoftDocs/azure-docs/issues/53334
Does anyone have any input on similar issues? How would you solve identifying a client application so that you can restrict data access?
