problem in azure app api (restricting access to specific client app)

Question

im following this tutorial https://fluentjs.medium.com/angular-spa-and-node-js-api-with-azure-ad-for-authentication-in-2021-b2974666c2eb to create angular app and nodejs api in azure app registration when exposing an api even if i dont add the angular client id to it i still can get a token and authorize to the nodejs api here i have another client id so basically im using an angular app which is not set in the nodejs expose api

here is my angular environment

and here is my nodejs config.js

how im able to get authorization to nodejs api from angular app which i dont have exposed the api to it ?

Answer 1

I created a backend app and Exposed an API (Admins only) like below:

Added Authorized client applications:

Now I tried to access the backendapp with the another app which is not added as client application:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID 
scope:api://backendappID/access_clientapp
grant_type:authorization_code  
code:code  
redirect_uri:https://jwt.ms 
client_secret:Secret

And access token is generated successfully:

And using this access token, the application can access the API.

Note that: You cannot prevent Azure Active Directory to restrict generating access token for backend Api from any another application. You can simulate it in the API code itself to do the Auth, specifically looking for a claim that should only exist if it was generated via client application.

Reference:

oauth 2.0 - Azure Active Directory - How to restrict Backend API App Registration to a specific client App Registration - Stack Overflow by Rohit Saigal