We have two different Api's running. One on a public server and one internal that should communicate with each other. We used to setup SAML with AzureAD and ITfoxtec.Identity.Saml2 to authorize a the public Api. Now we need to setup authorized communication between the two Api's with the auhtorized user.
How can we authorize the Api's between each other?
We tryed using HttpClient but can't get it to work.
HttpClient client = new HttpClient(new HttpClientHandler { UseDefaultCredentials = true, });
How can we set User and claims to the HttpClient?
The ITfoxtec.Identity.Saml2 strictly support SAML 2.0 which only support user authentication in a web application. The SAML 2.0 standard do not support securing API call's.
To secure you API you can send the SAML 2.0 token in the reqest as a bearer token and validate the token in the API.
A better choice would be do use OpenID Connect and use the access token to authenticate the API call.
You can either connect directly to Azure AD and use the access token from there. Or use a security broker like FoxIDs to convert between the Azure AD security context and your application context. Then you would secure the API call with the access token received from FoxIDs. See web application sample calling the API sample with an access token.