I am trying to protect an API against Azure AD B2C based on the following scenario
As you can see, the flow is as follows:
1.- A user puts its credentials in a login page of a web application 2.- The web app validates the credentials against Azure AD B2C using OpenID Connect 3.- Once the user credentials are sucessfully validated, Azure creates and return an id_token So far, all of this functionality is already developed, I can't change nothing 4.- The web application will send the id_token as a Bearer token to the API 5.- What I need is to protect (Authorize) the new API (Java 17, Spring boot 3) I developed also against Azure but by using the id_token instead of an access_token, because the web app doesn't have one
I have been reading a lot of documentation but so far I didn't find anything related what the scenario I have
Could you help me giving me some ideas about it? Any suggestion will be appreciated
I tried the user_impersonation and on_behalf_of approaches but without any success, I dont' know what's the flow I need to follow to achieve my goal
One of the many references explaining why you should not use ID token as access tokens: https://auth0.com/blog/id-token-access-token-what-is-the-difference/
A reference from Spring Security team explaining why you should not make your SPA a "public" client: https://github.com/spring-projects/spring-authorization-server/issues/297#issue-896744390
If you read the preceding down to "Final Recommendation", you might consider inserting an OAuth2 BFF to your system. I wrote a tutorial for that on Baeldung: https://www.baeldung.com/spring-cloud-gateway-bff-oauth2