Call two distinct Azure AD protected APIs from Web App

Question

Setup:

• ASP.NET MVC5 application (Full Framework NET 4.7) with Azure AD on top
• WebAPI (Full Framework NET 4.7) with Azure AD on top
• .NET ADAL 3.x library (not MSAL) used in both apps

In the Web App, in Katana, the OWIN middleware:

• i authenticate the user (org account in a directory i control)
• i then exchange Authorization Code for Access Token
  (with resourceId: https://graph.microsoft.com)
• i place the resulting Access Token in user claims

Now everything is fine and dandy, i can use the Access Token as Bearer and call Microsoft Graph and get /me user profile, picture and what not.

But how do i call my own Azure AD protected API from my Web App?

I can't just exchange the Authorization Code a second time for a different resourceId. I could context.AcquireTokenAsync() with app_id and app_secret, but the JWT i get back does not contain any user identifying claim, so now my API doesn't know anything about the calling user, it only knows that the confidential client (my Web App) did indeed present a valid token.

How do i request a token that will successfully call my API that will return some sort of user claims? The user principal name or user id is probably enough.

Should i just move all the Microsoft Graph calling logic to the WebAPI and exchange Authorization Code for my API's resourceId, or is there an in-place solution to my conundrum? What's the right pattern here? Ok not right, maybe just better.

Answer 1

You can request for a second access token with the same authorization code for another API.

Depending on how you request the access token, the audience of the token might be either the client id or Application ID URI of the API. So you must make sure that both are accepted audiences in the API.

In the case of ASP.NET Core APIs, you can add the following in JWT Bearer authentication config:

TokenValidationParameters = new TokenValidationParameters
{
    ValidAudiences = new [] { "https://blabla", "g-u-i-d" }
}