Add support to Azure AD B2C for the on-behalf-of flow.
In order for a web API to call another downstream web API as the user, Azure AD B2C needs to support the OAuth on-behalf-of flow.
According to the following reference, this isn't supported in B2C: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-apps#web-api-chains-on-behalf-of-flow
I also cannot find this feature on the Azure Roadmap.
Felix Müller commented
A back-end service calling another API is not an exotic scenario. It would be great if we could use best practice patterns like OAuth2 OBO in this architecture, even if the original token was issued by Azure B2C.
+1 please prioritize
Omar Aamir commented
Please prioritize this feature
Oisin Grehan commented
This is pretty terrible for Azure. Please prioritize this feature.
One of the ways we can implement this , is by using an API gateway in front of the Web API chains and this API gateway can be used to cache the access tokens that can be forwarded to multiple Web APIs in the chain. A reference design pattern can be seen in this video -https://www.youtube.com/watch?v=wuUu71RcsIo . Please watch from 4:28 minutes to get to the idea directly.
The reference article is here
AADB2C90146 - The scope provided in request specifies more than one resource for an access token, which is not supported.
Due to this limitation, we are unable to request an access token for more than 1 downstream API during SSO - as other commenters have mentioned, this leads to structuring your APIs to be monolithic or avoid using user tokens and move toward system tokens (omitting policy from the B2C STS and using straight OAuth)
I was supprised o read this very common scenario is not supported. I am even more supprised that this request has been here for more then two years.
Smith, Jacob commented
The alternatives, as I see them at this moment, are:
- Wait to hear back from Microsoft and wait for this to be implemented.
- Ignore everyone's push for MicroServices and force other teams to commit to the same Web API monolithic application
- Don't use B2C?
Luke M commented
This is an important feature for us, as we use Web API chains in our architecture design. Is there any news on when this will be available?
Omer Afridi commented
Is Microsoft planning to bring that support soon, can I get some timeline when this feature will be available?
Dange, Sahil commented
Any update on this, how many years should we wait????
We are now using our own IdentityServer4 based web app, but would really love to migrate to B2C because of responsibility issues mainly. What's stopping us is exactly this issue, that we cannot use downstream API's with B2C. To us B2C is useless without it. Switching to Azure AD (premium) would mean an impossible pricing model.
Please... prioritize this item!
Dinesh Kumar Sarangapani commented
Any update on the priority.
This is indeed one of the basic requirements of customer centric apps. Please consider prioritizing it.
we have to hack it now with iframes and whatnot. please please fix it
Leo Davidson commented
Any news on this? It is one factor in our decision to use B2C or some other Idp.
This feature is instrumental to customer centric use cases. Please support this asap.
We would find this support exceedingly useful. Our solution architects are increasingly designing systems with web API chains. On behalf of flow would help keep B2C a user/customer centric access control model.
Pahne, Andy (external) commented
I was kind of surprised to not find this in our POC project.