Authenticate Azure AD v1 WebAPI from Azure AD v2 mobile app

Question

We have a Xamarin forms mobile app where users are authenticated by AAD v2 endpoint (MSAL - Microsoft.Identity.Client) and an ASP.NET Web API application where the same users are authenticated by AAD v1 endpoint (ADAL - Microsoft.IdentityModel.Clients.ActiveDirectory).

We would like to have REST calls authenticated in the Web API from the mobile app. We've tried passing v2 authentication tokens but get InvalidAuthenticationToken returned to us.

First of all not sure if it is actually possible. This MS presentation from 2017 says that it hasn't been implemented 'yet', but can't find whether it is now possible. Failing that, is there some other way to get this to work?

Thanks

Answer 1

Background

This should be possible. With recent change, there is no longer a difference of v1 or v2 client app, rather the targeted "audiences" (e.g my tenant only, all tenants, Azure AD + MSA) of the APIs they're requesting access to.

Quick example

Setting that aside, there is still a notion of token version. The version of the token, however, is that of the API, not the client app. For example,

Client A: targets Azure AD only (formally would map to a v1 app)

Client B: targets Azure AD + MSA (formally would map to a v2 app)

API: accepts Azure AD + MSA (formally would map to a v2 app)

In this case, the access tokens issues to Client A and Client B will be a format understood by the API- v2.0 tokens.

Conclusion

In your case, you can register each client based on the type of users you want to allow access, but ultimately your API will represent the token type issued.