Share via

Can't access Azure Key Vault after AD B2C token authentication

Bernhard S 126 Reputation points
2024-08-30T17:14:34.27+00:00

Since days I try to get this to work:

  1. User gets a bearer token of the B2C
  2. User retrieves a secret from the key vault by using the token.

I had all types of problems.

  1. Could not access the key vault because it was in another directory.
  2. Could not access the key vault (in the same dir) because of the wrong aud in the token.
  3. Could not create a API permission (in the app reg) because it seems to be forbidden in the b2c.

While I tried to fix this I moved my subscription back and forth. I am close to cancle my project, or get rid of b2c and implement my own logic without the Azure portal.

What I want to do:

  1. User authenticates in the Blazor app via B2C.
  2. Blazor app access a custom API (which uses SWAGGER and [Authenticate])
  3. API retrieves secret of the key vault and sends it back to the user. (this is just for testing)

Therefore I created a Unit Test which does

  1. Get the token
  2. Get the secret with the token

I can retrieve the token without problems but the token is not valid to retrieve the secret (2). Could not add the permissions to the appreg because the options are not selectable.

User's image

Any ideas?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,415 questions
Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,261 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Suwarna S Kale 2,131 Reputation points
    2025-05-01T03:08:16.1366667+00:00

    Hello Bernhard S,

    Thank you for posting your question in the Microsoft Q&A forum. 

    The core challenge lies in Azure AD B2C’s limitations—it’s designed for user authentication, not for directly securing backend resources like Key Vault. Instead of using the B2C token to access Key Vault, adopt a middleware API approach

    Authentication Flow: 

    • Users authenticate via B2C in your Blazor app. 
    • The app sends the B2C token to your custom API (validated via [Authorize]). 

    API-to-Key Vault Access: 

    • Configure the API’s app registration (in Azure AD, not B2C) with Key Vault permissions (Key Vault Secrets User). 
    • Use the API’s managed identity or a client secret/certificate to fetch secrets, not the user’s B2C token. 

    Why This Works: 

    • B2C tokens lack Key Vault’s aud claim (they’re for user auth, not resource access). 
    • The API acts as a trusted intermediary, isolating B2C from backend services. 

    For testing, mock the API’s Key Vault access locally using DefaultAzureCredential. This architecture maintains security while bypassing B2C’s inherent restrictions. 

     

    If the above answer helped, please do not forget to "Accept Answer" as this may help other community members to refer the info if facing a similar issue. Your contribution to the Microsoft Q&A community is highly appreciated. 

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.