Prepare external tenant for calling an API in a Node.js web application

In this article, you prepare your external tenant for authorization. This article is the first part of a four-part guide.

Prerequisite

• Complete the steps in Tutorial: Prepare your external tenant to sign in users in a Node.js web app. After you complete this tutorial, you register an app in your customer's tenant, and you've a web app that signs in users. We refer to this web application as the client application. You extend this application to call a protected web API.

• Complete the steps in Tutorial: Secure an ASP.NET web API registered in an external tenant. After you complete this tutorial, you register a web API in your customer's tenant, which exposes API permissions and publishes application roles. You also have a secured web API. You call this web API from the client web application.

Configure idtyp token claim [optional]

Tokens returned by Microsoft identity are kept smaller to ensure optimal performance by clients that request them. As a result, several claims are no longer present in the token by default and must be asked for specifically on a per-application basis. For this app, you include idtyp optional claim to help the web API to determine if a token is an app token or an app+user token. Although you can use a combination of scp and roles claims for the same purpose, the use of the idtyp claim is the easiest way to tell an app token and an app+user token apart. For example, the value of this claim is app when the token is an app-only token.

Use the following steps to configure idtyp optional claim:

1. From the App registrations page, for which you want to configure optional claim, such as ciam-client-app, to open its Overview page.

2. Under Manage, select Token configuration.

3. Select Add optional claim.

4. Under Token type, choose Access.

5. Select the optional claim idtyp.

6. Select Add to save your changes.

Grant API permissions to the web app

From the prerequisites, you registered a client app in your customer's tenant. You also registered a web API app in your customers. Now, you need to grant API permissions to your client app:

1. From the App registrations page, select the application that you created (such as ciam-client-app) to open its Overview page.

2. Under Manage, select API permissions.

3. Under Configured permissions, select Add a permission.

4. Select the APIs my organization uses tab.

5. In the list of APIs, select the API such as ciam-ToDoList-api.

6. Select Delegated permissions option.

7. From the permissions list, select ToDoList.Read, ToDoList.ReadWrite (use the search box if necessary).

8. Select the Add permissions button.

9. At this point, you've assigned the permissions correctly. However, since the tenant is a customer's tenant, the consumer users themselves can't consent to these permissions. To address this, you as the admin must consent to these permissions on behalf of all the users in the tenant:

   1. Select Grant admin consent for <your tenant name>, then select Yes.

   2. Select Refresh, then verify that Granted for <your tenant name> appears under Status for both permissions.

10. From the Configured permissions list, select the ToDoList.Read and ToDoList.ReadWrite permissions, one at a time, and then copy the permission's full URI for later use. The full permission URI looks something similar to api://{clientId}/{ToDoList.Read} or api://{clientId}/{ToDoList.ReadWrite}.

Next step

Next, learn how to prepare your web application and API.

Start building your web application and API