Home > Software design >  Azure AD B2C custom policies, securing an API connector
Azure AD B2C custom policies, securing an API connector

Time:05-05

I am using Azure Active Directory B2C with custom policies and an API connector. I want to secure a specific endpoint in my API (C# .NET 4.7.2) which will return the legacyUserId (this is for the migration of the users to Azure). This is not the most valuable information but the goal is to make sure that the endpoint cannot be accessed freely. I want to access the API from the custom policy and from postman for testing.

The official documentation for securing the API connector does show what to do on the Azure side. But I do not know how or what to configure or add in my API. I am also not sure which method would be best to secure my API. Although it seems like certificates are the most secure?

Also, would I be able to combine multiple methods? For example using an API Key and Client certificates. But maybe using an API key is enough?

Any suggestions?

CodePudding user response:

AFAIK, you can only use one authentication method (either certificate or Basic Auth) in Azure AD B2C and not multiple in combination. One authentication method that works should also be enough though.

Which authentication method to choose depends on your security requirements. Many APIs in the internet are accessible with Basic Authentication or an API key whereas using client certificates is used seldom and only in cases where the set of potential clients of the API is very limited (as it is in your case).

Another question to consider is how the API is secured up to now. If there is already an API key authentication or - more likely - a Basic Auth implementation, you could use it and reduce the amount of changes you have to make on the API side. If the current authentication is proven to be secure, any changes comprise the risk of unwanted side effects.

The documentation for implementing authentication in ASP.NET Web API for .NET Framework 4.x can be found here. Basic Auth is described in greater detail and the implementation can also be used as a starting point for implementing API Key authentication where the API key is transmitted as a header or request parameter (the latter might end up in a log file on the server, so a header value is preferrable).

Important to note: the API should be hosted using HTTPS, so that any information that is transmitted in the header or request parameter is encrypted.

  • Related