In this post I will extend the previous example, by making the web application call a web api secured using Azure AD.
Now let me clarify this: the user will use OpenID Connect to authenticate to the web application, exactly as we saw in the previous post – in fact I’m reusing the same exact sample.
However, the web application at some point needs to call a web api which itself is protected using Azure AD and OAuth2. In this case the web application is the client and it will ask Azure AD for an access token to access the web api (using the OAuth2 Client Credential Flow); and this access token has nothing to do with the id token which was issued to the user to log in to the web application.
Here is a simplified conceptual illustration showing the main artifacts (not showing the protocol dance): Continue reading