Validate an Azure AD token with an angular+aspnet core web app

We are trying to create an Angular app, that uses a custom Asp.Net Core backend. The users of this app authenticate using Azure AD accounts, so the backend does not handle their credentials : authentication is handled between angular and Azure. The backend may call some Web APIs on behalf of the user to collect basic informations, and needs to store some data tied to users, and so it needs to know which user sends requests from Angular.

On the Azure side, we have an app registration configured to use the auth code + PKCE flow. It contains some custom claims in case that’s relevant.

The problem we have is that we are having trouble setting up the backend so that it can check that the tokens sent by the Angular app are valid. By default, Angular sends to the backend a Bearer token containing the access token that it received from Azure. This token is not in JWT format, and so I don’t think I can do anything with it, as the Azure docs seems to imply that if the token is not JWT, the format used is proprietary and not meant to be parsed.

How can the backend check that the call coming from Angular contains a legitimate Azure token ? Should we manually include the ID Token, which we receive from Azure, in all the requests to the backend, which we could probably check ? Should we call some Azure endpoint from the backend to validate this unreadable access token ?

The Angular app uses the angular-oauth2-oidc package to handle logging in
The backend uses asp.net core 7.0, as well as the OpenIdDict library

Read more here: Source link