Choosing authentication flow for a web app with SPA at front end

Question

I'm developing an application that uses Microsoft Graph. It used to be an ASP .NET Framework web app using Razor pages but was almost completely converted to an Angular SPA with ASP .NET backend. Currently we're using Authorization Code Flow on the backend to log user in. Web API has session enabled so the client simply uses the same cookies as it did before when it was a Razor app. But lately we've been thinking more and more about doing some Graph requests directly on the client and now I'm looking for a proper way to refactor our authentication to better satisfy the following requirements:

1. Log users in and process this on the server, so that the server can use delegated Graph permissions and call Graph API.
2. Provide a way for the client to call Graph directly without using our server.
3. Comply with current best practices for doing #2 on the client.
4. Work with third party cookies disabled when we're in an IFRAME (our app can be displayed and works with SharePoint online as well as AD logins).

I'm not sure what is the best way to share the access token that the servers gets for accessing the Graph or if it's event feasible from security point of view. Should I login with the server first and then use MSAL.js and login again with a login_hint (so hopefully without user entering his credentials two times)? Will appreciate any input.

Answer 1

Should I login with the server first and then use MSAL.js and login again with a login_hint (so hopefully without user entering his credentials two times)?

Yes, this is our recommended approach. You can use the MSAL.js ssoSilent to attempt to silently authenticate the user client-side, using the login_hint (or sid) from their existing session.