Scenario: A web API that calls web APIs
Learn what you need to know to build a web API that calls web APIs.
This scenario, in which a protected web API calls other web APIs, builds on Scenario: Protected web API.
- A web, desktop, mobile, or single-page application client (not represented in the accompanying diagram) calls a protected web API and provides a JSON Web Token (JWT) bearer token in its "Authorization" HTTP header.
- The protected web API validates the token and uses the Microsoft Authentication Library (MSAL)
AcquireTokenOnBehalfOfmethod to request another token from Azure Active Directory (Azure AD) so that the protected web API can call a second web API, or downstream web API, on behalf of the user.
AcquireTokenOnBehalfOfrefreshes the token when needed.
The app registration part that's related to API permissions is classical. The app configuration involves using the OAuth 2.0 On-Behalf-Of flow to use the JWT bearer token for obtaining a second token for a downstream API. The second token is added to the token cache, where it's available in the web API's controllers. This second token can be used to acquire an access token silently to call downstream APIs whenever required.
Move on to the next article in this scenario, App registration.