How can we use access token to authorize our rest api?

Question

Frontend Application (React js)

I implemented SPA in React js which is integrated with Azure Ad Oauth2(Implicit Flow) by referring to this documentation, so this is my login functionality in the application. In the end, I am getting a response that also includes an access token.

Backend Application (Node js)

I also created a rest API that has different endpoints (like the list of products, list of orders, update product details). Before accessing a particular endpoint I want to authorize the user to check if he has access to the particular endpoint. Since I have two roles in my application (Admin and Normal User). I am running backend service in my local machine.

I have read many blogs and forums like access token is used as authorization of our resource server.

How to check Is the azure access token is valid from the backend service and how to authorize the respective endpoint if the user has access or not? or Please suggest me the right process to securely access my backend endpoints?

Thanks in advance.

Answer 1

Basically, once the server-side get some request from a client, the server-side should check claims in the access token in the client request header. For instance, what scope claim could access this API.

You can use passport-azure-ad with your Node js server to do this easily. And this is the official sample code about it.

In this demo, you can configure claims that you want to check by options in index.js easily:

Demo Result Get an access token with access_as_user scope:

call the backend and pass auth process successfully: