Reputation: 13
Same Azure AD access token for Multiple Resources
We are evaluating an option if the "same" azure AAD access token be used to access multiple webapis. Here is the flow :
Client -> webapi1 -> webapi2
1) client authenticates against AAD and acquires token1 <br>
2) client calls webapi1 with token1<br>
3) webapi1 calls webapi2 with token1
Lets say both the webapi's are configured to validate the same audience ('xxxx') and authority, are there any complications/security issue to leverage the same token for both the apis.
Any input is much appreciated.
Upvotes: 1
Views: 1401
Answers (1)
Reputation: 58853
In that case webapi1 and webapi2 are essentially the same API as far as Azure AD is concerned.
One con of this approach is possibly too many privileges on the APIs.
Let's say API A requires access to all users' emails in the organization. Now since API B is effectively the same app from AAD's point of view, it also gets this right, though it didn't need it.
Typically we try to follow the principle of least privilege, where every part of the app has exactly the access it needs, and no more. So using the same audience again can go against this.
Another issue is that another app which has rights to call API A also gets rights to call API B.
I can understand your reasoning for avoiding the round trip of fetching an additional token, but tokens can be cached.
Upvotes: 1
Related Questions
- Is it possible to add multiple audiences to AAD bearer token?
- I want access tokens with multiple scopes including http
- Can I access multiple APIs with one access token?
- How to get tokens different resources msal2
- Uniquely identfy users from access token in multi-tenant Azure AD app
- Multiple access tokens with Azure AD B2C
- Multiple resources in a single authorization request
- Can I access Azure AD graph api and Azure management resources using the same accessToken
- Using AD Token for access to multiple applications registered in Azure AD
- Get Access token with Azure AD multi-tenant openID authentication