Im calling a REST api from an azure B2C custom policy, what this flow will do is call out to one endpoint with a GET and if I dont get back the claim information I need, it will call out to another end point with a POST. There are two limitations i'm seeing in azure B2C that I wanted to see if anyone had a work around for.
For the GET call, it uses the oid from the claim in the url path (I.E api/info/{oid}). From what im seeing from the docs, I dont believe there is a way to dynamically populate the service url with the OID from the claim. Is there any workaround to this?
For the POST call, I am hitting APIM and need headers for both an API key and a Subscription Key. As far as im aware, B2C will only allow the post call with a single header (unless doing basic auth) when calling out. Is there a way to send both headers when making the call?
The goal is to make these calls without changing the current paradigm of the api(I.E. Changing path variable to query params etc).
For the GET call, you can use the SendClaimsIn
Metadata, set to Url
. Then you just use a token for every InputClaim
you specify in the technical porofile.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/restful-technical-profile#metadata
For the POST call, I would think you could supply two cryptographic keys to send both your API key and Subscription Key. I haven't had a chance to verify this, but I would think it would include both in the Header. I will try and test this with an Azure Function at some point, unless you're able to validate beforehand.
Example of each challenge:
<Metadata>
<Item Key="ServiceUrl">https://www.website.com/api/info/{objectId}</Item>
<Item Key="AuthenticationType">ApiKeyHeader</Item>
<Item Key="SendClaimsIn">Url</Item>
</Metadata>
<CryptographicKeys>
<Key Id="X-Api-Key" StorageReferenceId="B2C_1A_ApiKey"/>
<Key Id="X-Subscription-Key" StorageReferenceId="B2C_1A_SubscriptionKey"/>
</CryptographicKeys>
<InputClaims>
<InputClaim ClaimTypeReferenceId="objectId"/>
</InputClaims>