We finally found a working example with Angular + ASP.NET Core WebAPI:
https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-aspnetcore-webapi
Things we wished, we knew before:
- Angular MSAL Wrapper currently not supporting Auth Code Flow. So Implicit Code Flow is the actual recommended flow. If you're using 3rd party libraries, that are not using the Angular HttpClient, you have to implement the token interceptor manually.
- The "Authentication / Authorization"-Configuration within the App Service should not be set.
- You must configure "Expose an API" within the API App Registration and set the API Permission in the client App Registration.
- For authentication within the API you should use Microsoft.Identity.Web instead of Microsoft.AspNetCore.Authentication.AzureAD.UI
- Microsoft made big changes in the authentication provider (Azure AD for developers -> Microsoft Identity v2) which made researching a real pain, since a lot of documentation and examples were deprecated, promoted solutions and technologies weren't even production ready and so on.
This is a working solution but not the optimal solution we thought of. With this solution we have some drawbacks:
- our API has to protect itself from unauthorized / unauthenticated users
- our client code is somewhat public (minfied and compiled but theoretically can be reverse engineered)
- we had to make changes within the client, to make this work (workarounds for the 3rd party library we're using)