I'm developing an Outlook add-in that consists of a React front-end and a dotnet core back-end service. I retrieve an an access token using the Office.js lib.
Office.context.mailbox.getCallbackTokenAsync({isRest: true}, async (result:Office.AsyncResult<string>) => {
});
The access token is sent to the back-end service and used to retrieve Graph access and refresh tokens.
My question, should I also be using the Office.js access token as an Authorization header in requests from the add-in front-end to the back-end? Would it provide any additional level of security or can I discard it once I've retrieved the Graph tokens?
The token you're getting back is only usable with Microsoft Graph, and only for that user's mailbox. If you decode the token using https://jwt.ms you can see exactly which scopes are assigned (it's very limited).
If you want to leverage the user's identity for your own backend, there are a couple of options.
There is an overview of authentication available at Authentication options in Outlook add-ins.