I have a rest api which is being called by Azure AD B2C(through technical profile in Custom policy). I need to secure the api.But as it is being called by Azure BEFORE Authentication(basically it only needs to check if the email already exists in database or not in sign in flow), it doesn't have Authorize attribute. I have ClientCertificate AuthenticationType, configured in the custom policy for this REST API in the metadata of the technical profile, following this document https://learn.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api
So basically my metadata looks like this:
<Metadata>
<Item Key="ServiceUrl">https://your-account.azurewebsites.net/api/GetProfile?code=your-code</Item>
<Item Key="SendClaimsIn">Body</Item>
<Item Key="AuthenticationType">ClientCertificate</Item>
<Item Key="AllowInsecureAuthInProduction">false</Item>
</Metadata>
<CryptographicKeys>
<Key Id="ClientCertificate" StorageReferenceId="B2C_1A_RestApiClientCertificate" />
</CryptographicKeys>
But when I call the rest api from the browser, it is still accessible. I am not sure if I missed something, but isn't this process supposed to secure your api so only Azure can call it?
The REST API mutually needs to be authenticated with the client certificate. Configuration Client certificate in the custom policy needs to be validated near the REST API also right.
You can secure back-end services using client certificate authentication in Azure API Management or you can configure client certificate authentication in the code