0

We are running an API that is configured for and secured by Azure AD. This is working for us with an Angular app where users login interactively. Now we have a need for a partner firm to use the API in a system to system way (no user login).

What needs to be configured for their application to get an OAuth token for our API from Azure AD?

I've examined the service to service call flow, but I'm wondering if it's best practice to create an application registration in our tenant for an application we don't own/manage. However this seems to be the fastest way to give them a client ID/Secret in order for them to interact with Azure AD.

Thanks in advance! -Doug

DGilmour
  • 1

1 Answers1

0
  • Azure active directory supports the OAuth 2.0 to authorize the third-party apps too. It doesn’t actually matter where the web APIs are hosted.You can even see Azure Active Directory recommendation on third party apps. It actually adds up security and different type of apps can be integrated .
  • But you will need to have your web app authenticate to Azure AD, and provide the token to the web api.so it requires app registration .
  • Scenario for external web app to call a web api, you can refer to this:web-app-call-api
  • Your application can acquire a token to call a web API on behalf of itself (not on behalf of a user) i.e; you can achieve scenario where non-interactive app calls a web api

But if you meant app calling a partner api using another api . The Azure AD V2.0 doesn't support the Partner API(See Restrictions on services and APIs) when you integrated the web API with third-party application using MSAL(Azure AD V2.0 endpoint) .

One way is using the on-behalf-flow. Here third-party application initially acquires the access token to call the web API. This web API acquire the token for Partner Center API and calls it using on-behalf-flow with that token. This solution uses the Azure AD endpoint instead of v2.0( register the app on Azure portal).

Other References:

  1. asp.net web api - Azure Active Directory Verify Access Token in Web Api outside of Azure - Stack Overflow
  2. Authentication vs. authorization
kavyaS
  • 8,026
  • 1
  • 7
  • 19
  • Can you provide a link to the "Restrictions on services and APIs"? – DGilmour May 26 '22 at 16:19
  • Also. I'm aware that lots of apps can be integrated. What I'm trying to understand is which tenant the App Registration should be done in for a B2B situation. (I'm not looking at the on-behalf-flow because it's not a 2 hop chain.) – DGilmour May 26 '22 at 16:28