Currently I have an ASP.NET framework MVC application with an angular frontend app. This app is registered in Azure Active Directory B2C with a separate set of access settings (tenantId, clientId, etc.)

Now I'm creating angular PWA also in AAD B2C with OAuth 2.0 authorization code flow using MSAL and I want this app to access my ASP application

I considered the following approaches:

1. Creating some sort of Gateway that will be accessible by my PWA and will get required data from the mentioned ASP app. This approach is called On-behalf-of flow but turned out it's not supported by Azure AD B2C.
2. Straightforward api calls with enabled CORS but it feels like a really bad idea

I was wondering if there is some AD B2C configuration approach that will allow me to access one API from several web applications.

CodePudding user response：

I'm doing exactly this now. Back end API with web/android/ios front ends.

Call your API straightforward from your PWA. You'll have an access token from B2C, you'll have all the claims you've requested, and your API will parse them and grant/deny access to data accordingly.

I think the intended use case of the "On Behalf of" flow is if you have an API that calls a separate API that you don't control, and you need to maintain security context to that API.