We have a SPA (angular) deployed which authenticates against an azure AD B2C and retrieves tokens that are then used to call some rest APIs.
Now I've been asked to call some other APIs (not under our control) protected by another azure AD B2C (again, not under our control). I don't think that there is any way to "federate" the two AD B2C.
Moreover I don't know if there is a way to obtain access tokens from an AD B2C using some hidden credentials (let's say a technical user/password defined on the second AD B2C) which I wouldn't use in the SPA for obvious reasons but then I could use my authenticated APIs as a proxy to obtain the token from the second B2C and then call the external APIs with the obtained token.
Am I missing something or I've been asked something not feasible with Azure AD B2C?
The only solution I've found would be having the supplier of the second azure AD B2C declare a new app registration in their B2C and:
Then we would invoke our authenticated APIs (protected with the token obtained from our B2C via an interactive oauth flow) and the APIs would act as a proxy by calling their APIs after we obtained the token via the client secret.
All this could be done with different API containers with an API gateway in front of them for a cleaner architecture so that our core APIs are separated from the proxy APIs.
Does anyone know a better solution?