Share via

Can I use auth token from one Azure AD app to allow access to another app?

Sandeep Chinni 20 Reputation points Microsoft Employee
2023-04-18T22:18:53.1666667+00:00

I have two applications registered in a Azure AD tenant.

  1. Web API App
  2. Frontend app The Frontend app is secured via SSO and can generate an ID token. I would like to secure access to the web API as well, ie, check if the user making the API call is signed into AD etc. So, I plan on making API calls from Frontend app to Web API with the token (in request Header) that is generated when user logs into the Frontend app. One the backend, I can use the jwt parser to decode the token and look up various attributes. The tokens have an attribute called "aud" which corresponds to application id or client id. When the backend decodes the token and sees that the token has an "aud" which is different from its own "aud" but the tenant id (tid) is the same, can it accept it as a valid logged in user? I am trying to understand what a good industry practice is when making calls from frontend to backend with respect to SSO tokens. Thanks!
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Accepted answer
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator
    2023-04-19T05:17:28.93+00:00

    Hello @Sandeep Chinni , you can use the same app registration for both front-end and web api applications. You will issue an ID token to authenticate against the former and an access token to get authorized by the latter. For this you need your app registration to expose a web API. Aud claim remains the same for both tokens. SSO applies only between clients like your front-end app, once logged in your frontend app you will acquired an access token for your API.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sandeep Chinni 20 Reputation points Microsoft Employee
    2023-04-21T06:12:47.53+00:00

    The answer is no, per this doc from Microsoft:

    https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens The text that explains it: "aud" in a IdToken Identifies the intended recipient of the token. In id_tokens, the audience is your app's Application ID, assigned to your app in the Azure portal. This value should be validated. The token should be rejected if it fails to match your app's Application ID.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.