![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 99%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,272 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Simone Demuro ,
Thanks for reaching out.
In the context of a client-server web application, for example, an angular front end and a .Net backend that talks via REST APIs, what is the Microsoft documentation I can follow?
For your scenario, you can follow the below documentations for securing a web API with Microsoft Identity Platform.
https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-flows-app-scenarios
https://learn.microsoft.com/en-us/azure/active-directory/develop/sample-v2-code
Reference sample: https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/blob/main/5-AccessControl/1-call-api-roles/README.md
Can I arbitrarily decide to put the duty of implementing the login in the front end or in the backend or are there any guidelines?
As for deciding where to implement the login functionality, it is recommended to implement it on the front-end side of your application for SPA. This allows for a better user experience, as users can log in and authenticate themselves without having to reload the entire page. However, you can also implement it on the backend side for web applications.
If I go for Single-page app (SPA) can I send the front-end authentication token to the backend to authorize the method calls?
If you decide to use a Single-Page Application (SPA) architecture, you can send the front-end authentication token to the backend to authorize method calls. This is a common approach to securing REST APIs with token-based authentication, where the front-end sends an access token with each API request to the backend as bearer token in the authorization header, which then validates the token to authorize the user and execute the API method.
Hope this will help. If you have any other questions regarding that, feel free to let us know.
Thanks,
Shweta
Please remember to "Accept Answer" if answer helped you.