| title | description | services | author | manager | ms.author | ms.date | ms.custom | ms.topic | ms.service | ms.subservice |
|---|---|---|---|---|---|---|---|---|---|---|
Add a web API application - Azure Active Directory B2C |
Learn how to add a web API application to your Active Directory B2C tenant. |
active-directory-b2c |
kengaderdus |
CelesteDG |
kengaderdus |
03/30/2022 |
mvc |
how-to |
active-directory |
B2C |
This article shows you how to register web API resources in your Azure Active Directory B2C (Azure AD B2C) tenant so that they can accept and respond to requests by client applications that present an access token.
To register an application in your Azure AD B2C tenant, you can use Azure portal's new unified App registrations experience the legacy Applications (Legacy) experience. Learn more about the new experience.
- Sign in to the Azure portal.
- Select the Directories + subscriptions icon in the portal toolbar.
- On the Portal settings | Directories + subscriptions page, find your Azure AD B2C directory in the Directory name list, and then select Switch.
- In the left menu, select Azure AD B2C. Or, select All services and search for and select Azure AD B2C.
- Select App registrations, and then select New registration.
- Enter a Name for the application. For example, webapi1.
- Under Redirect URI, select Web, and then enter an endpoint where Azure AD B2C should return any tokens that your application requests. In a production application, you might set the redirect URI an endpoint like
https://localhost:5000. During development or testing, you can set it tohttps://jwt.ms, a Microsoft-owned web application that displays the decoded contents of a token (the contents of the token never leave your browser). You can add and modify redirect URIs in your registered applications at any time. - Select Register.
- Record the Application (client) ID for use in your web API's code.
- Sign in to the Azure portal.
- Make sure you're using the directory that contains your Azure AD B2C tenant. Select the Directories + subscriptions icon in the portal toolbar.
- On the Portal settings | Directories + subscriptions page, find your Azure AD B2C directory in the Directory name list, and then select Switch.
- Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
- Select Applications (Legacy), and then select Add.
- Enter a name for the application. For example, webapi1.
- For Include web app/ web API and Allow implicit flow, select Yes.
- For Reply URL, enter an endpoint where Azure AD B2C should return any tokens that your application requests. In your production application, you might set the reply URL to a value such as
https://localhost:44332. For testing purposes, set the reply URL tohttps://jwt.ms. - For App ID URI, enter the identifier used for your web API. The full identifier URI including the domain is generated for you. For example,
https://contosotenant.onmicrosoft.com/api. - Select Create.
- On the properties page, record the application ID that you'll use when you configure the web application.
Scopes provide a way to govern access to protected resources. Scopes are used by the web API to implement scope-based access control. For example, users of the web API could have both read and write access, or users of the web API might have only read access. In this tutorial, you use scopes to define read and write permissions for the web API.
[!INCLUDE active-directory-b2c-scopes]
To call a protected web API from an application, you need to grant your application permissions to the API. For example, in Tutorial: Register an application in Azure Active Directory B2C, a web application named webapp1 is registered in Azure AD B2C. You can use this application to call the web API.
[!INCLUDE active-directory-b2c-permissions-api]
Your application is registered to call the protected web API. A user authenticates with Azure AD B2C to use the application. The application obtains an authorization grant from Azure AD B2C to access the protected web API.