Customizing API Integration with Azure AD B2C
Azure Active Directory B2C is an identity offering from Microsoft that provides a complex, customizable modern authentication solution for secure access to customer and partner-facing applications.
One of Azure AD B2C’s great features is the ability to integrate with any back-end Application Programming Interface (API) and provide additional token attributes based on the authenticated user. This opens up many possibilities with back-end APIs when one needs additional identity information that may be outside the B2C identity store itself.
When you integrate an API with Azure AD B2C, certain requirements need to be met. Some of these are:
- The REST API service must be published to a publicly accessible HTTPS endpoint
- The requesting attributes send the back-end APIs a JSON object with the input claims as JSON attributes using a body or form POST, or Header, or QueryString Get
- Any error should be returned as a 409 error with an appropriate explanation of the error
- The claims returned need to be in a flat JSON body format
- Null returned claims needs to be handled in a specific way
- API calls should be secured in production with either certificate authentication, header based with a userid/password, using an OAuth2 Bearer token, or utilizing an API key
- If there is slow or no response from the RESTful service to Azure AD B2C, the timeout is 30 seconds and the retry count is two times (meaning there are 3 tries in total)
Integrating an API with Azure AD B2C to Return Identity Claims
You find out that the API does not accept the input claims as formatted by B2C. The API also doesn’t utilize either type of authentication method, and the errors it returns are not customizable. What do you do?
There are a few solutions for this. One is to create your own API that interfaces with the API and does the translation for you. An easier solution is to utilize either an Azure Function App or the Azure API Management Service.
The Azure API Management Service is the easiest to implement because there is no custom API coding involved. Within the API Management Service, one can manipulate the requests to back-end APIs using simple XML configurations to provide the necessary Azure AD B2C integrations. Header and body contents can be manipulated on the fly before being sent to the back-end API and before returning the response to B2C. If there is a need for an Access Token, those can be cached to prevent multiple calls, speeding up the response.
API Key, Certificate Authentication, and Function Apps
API Key or certificate authentication is also easy to set up. For certificate authentication, one just needs to upload the certificate and the handshake can be set up with one line of configuration. Errors that are sent back can be intercepted and converted to the correct B2C format as part of the return configuration.
Another option is to use a Function App to secure the API request by using an API key. Alternatively, with a few lines of code one can implement certificate or userid/password security. The Function App would consume the information sent by B2C, and one would need to write code to translate the JSON to whatever the back end API expects. Any error messages sent back from the API would also need to be translated in code.
In more complex integrations, a perfect combination is to utilize both of these to integrate with the back-end API. One then could take advantage of the easily configurable API Management policies and caching abilities, while being pointed to the Function App for more complicated translations that require specific coding.
So the next time you need to integrate your APIs with Azure AD B2C, and it doesn’t fit the B2C requirements, don’t give up! There are multiple paths to integration, even for complex scenarios.
If your organization needs assistance with Azure AD B2C, our expert team can help! Contact us here.