I have an application registered in Azure AD.
If I am using the same Application ID at the level of Web API and at the level of client (SPA application), why do both Azure AD auth libraries
(ADAL JS for Azure AD v1 and MSAL.js for Azure AD v2)
use ID token as bearer token when calling Web API, instead of requesting and using an access token? Doesn't this go against the spec?
According to official documentation and this might be your case.
"The OAuth 2.0 implicit flow in Azure AD is designed to return an ID token when the resource for which the token is being requested is the same as the client application. In other words, when the JS client uses ADAL JS to request a token for its own backend web API registered with same App ID as the client, an ID token is returned and cached by the library. Note that in this case the resource should be set to the App ID of the client (App ID URI will not work). This ID token can then be used as a bearer token in the calls to your application's backend API."
You can find more about this here!
https://github.com/AzureAD/azure-activedirectory-library-for-js/wiki/Acquire-tokens