How to impersonate user token for service to service call

Question

My structure of application is Web app calls a WebAPI(lets call it apiA) and that calls another api (lets call it apiB). Now, Web app authenticates the calls via AAD JWT tokens. So, that token would be created for apiA. But I want the api call to apiB to be as the logged in user and dont want to use client secrets etc.

So, in nutshell wants to impersonate the user and get a token for apiB from the token created for apiA or may be if possible have a token which can be good for both apiA and apiB. So, I dont have to get a new token.

Is there any way to do this?

Answer 1

You could try OAuth 2.0 On-Behalf-Of flow to delegate the user’s identity and authenticate to the second-tier web API. Please refer to document :

For the scenario when a server application needs to call a web API, it’s helpful to use an example. Imagine that a user has authenticated on a native application, and this native application needs to call a web API. Azure AD issues a JWT access token to call the web API. If the web API needs to call another downstream web API, it can use the on-behalf-of flow to delegate the user’s identity and authenticate to the second-tier web API.

Please click here for more details about service to service calls using delegated user identity in the On-Behalf-Of flow .