Azure AD authentication for multiple domains

Question

I have a cordova application which I am authenticating using azure AD cordova plugin and it all works fine. But now I am integrating services published in another domain and I am unable to authenticate these services using the mobiletoken generated after authentication. Can someone guide me how to secure multiple domain APIs published as Azure web APIs and use token to access the secured APIs.

I have tried to modify the secured settings in azure portal of one of the APIs by including reply URLs for both the APIs

When I include the token in the header of the ajax requests going into 2nd domain endpoints, I just get "unauthorized" error.

Answer 1

It sounds like you're able to get an access token in a Cordova setting and you're having issues accessing multiple web apis after the user has logged in.

The authentication protocol I would suggest you utilize is the on-behalf of flow which is doocumented here : https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow

Per the summary :

The OAuth 2.0 On-Behalf-Of flow (OBO) serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API. The idea is to propagate the delegated user identity and permissions through the request chain. For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from the Microsoft identity platform, on behalf of the user.

This is to get a new access token with the right audience to gain access to web api 2.