How can we use access token to authorize our rest api?

Batchu Sai Akhil 1 Reputation point
2021-01-30T15:58:51.977+00:00

Frontend Application (React js)

I implemented SPA in React js which is integrated with Azure Ad Oauth2(Implicit Flow) by referring to this documentation, so this is my login functionality in the application. In the end, I am getting a response that also includes an access token.

Backend Application (Node js)

I also created a rest API that has different endpoints (like the list of products, list of orders, update product details). Before accessing a particular endpoint I want to authorize the user to check if he has access to the particular endpoint. Since I have two roles in my application (Admin and Normal User). I am running backend service in my local machine.

I have read many blogs and forums like access token is used as authorization of our resource server.

How to check Is the azure access token is valid from the backend service and how to authorize the respective endpoint if the user has access or not? or Please suggest me the right process to securely access my backend endpoints?

Thanks in advance

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,909 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,481 Reputation points Microsoft Employee
    2021-02-03T21:03:49.013+00:00

    @Batchu Sai Akhil
    Thank you for your post and I apologize for the delayed response! For the documentation that you referred to when integrating your SPA in React, would you be able to share it again? It looks like it might've not linked correctly.

    When it comes to the access token, and authorizing the user based off of their respective permissions, have you looked into using Delegated Permissions? When using an AzureAD app, you can assign Application or Delegated permissions to that app.

    • Application permissions are used by apps that run without a signed-in user present, for example, apps that run as background services or daemons.
    • Delegated permissions, these are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests. The app is delegated permission to act as the signed-in user when it makes calls to the target resource.

    For more info:
    Azure AD App Application Permissions vs Delegated Permissions
    Permission types

    I hope this helps, if you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments