Search code examples
c#.netoauth-2.0azure-active-directoryazure-entra-id

BFF to Internal API with AAD / Entra ID B2C (.NET / ASP.NET Core / Identity.Web)

I have a BFF and its API can be used by public accounts and I want to use Entra / AAD B2C for it. The API/BFF should be able to access internal APIs which are using Entra ID / AAD.

My plan was to implement following flow with "on-behalf-of-flow" (OBO)

https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-on-behalf-of-flow

I have two app regs, one in each tenant (B2C + internal). I made the internal app reg visible to the B2C tenant and gave the B2C app reg permissions to a dedicated scope from the internal app reg.

Public users authenticate against:

https://<myb2cdomain>.ciamlogin.com/<myb2ctenantId>/oauth2/v2.0/authorize with auth code flow with PKCE.

To get a token which I can use against my BFF I use a defined scope from the B2C app reg.

This works and I get a token.

Now I try to init an OBO flow to:

https://<myb2cdomain>.ciamlogin.com/<myb2ctenantid>/oauth2/v2.0/token

or

https://login.microsoft.com/<myb2ctenantid>/oauth2/v2.0/token

with the access token as assertion and the scope for the internal api.

The first gives me

AADSTS500207: The account type can't be used for the resource you're trying to access.

the second:

AADSTS500208: The domain is not a valid login domain for the account type.

I researched but I only found examples from Microsoft which are using the OBO flow for Graph not for own APIs. Additionally also I'm not sure if there is library support from Microsoft.Identity.Web for that. There is the IDownstreamAPI package but I didn't got it to work and additionally I need to get it to work via HttpClientFactory and not with the IDownstreamAPI interface which makes it hard to use it together with other libraries. So I tried the flow manually first to ensure that it works and I setup everything correctly.

Happy for any hints or code samples.

Solution

  • The error "AADSTS500208: The domain is not a valid login domain for the account type" usually occurs if the application is not configured to authenticate the personal accounts.

    Hence, register the Azure AD B2C application as "Accounts in any identity provider or organizational directory (for authenticating users with user flows)" like below:

    enter image description here

    Note that: As you are making use of OBO flow, Azure AD B2C doesn't support OBO flow. Check this GitHub blog by svrooij.

    And hence you are getting the error "AADB2C99075: The feature 'On-Behalf-Of' is not enabled for this tenant"

    As a workaround, make use of client credential flow on the Azure AD application or wire through the Azure B2C auth token and validate it in the internal API.

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
scope:api://xxx/.default
grant_type:client_credentials

    enter image description here