Search code examples
oauthazure-active-directoryasp.net-core-3.1webapiauth-token

Should the AngularJS application send the AuthToken or IDToken? When do use ID token vs Auth Token?

I have the following configuration in my ASP.NET Core Web API:

// Adds Microsoft Identity platform (AAD v2.0) support to protect this Api
services.AddMicrosoftIdentityWebApiAuthentication(configuration);

services.AddControllers(options =>
{
    var policy = new AuthorizationPolicyBuilder()
        .RequireAuthenticatedUser()
        .RequireClaim("email")
        .Build();
    options.Filters.Add(new AuthorizeFilter(policy));
});

I have an Angular client application that sends the AuthToken with each request.

Below is my asp.net WEB API controller

[Route("[controller]")]
public class UserController : ControllerBase
{
    [HttpGet]
    public IActionResult Get()
    {
        //Get User Email ID from Claims
        //Get User details from Database
        //Return the User Details
        ...
    }
}

In the asp.net WEB API controller, I need to get the Email claim from the Auth Token.

Should the AngularJS application send the AuthToken or IDToken? When do use ID token vs Auth Token?

Update : OpenID Connect is built on top of OAuth2.

WEBAPI: An access_token is useful to call certain APIs in Auth0 (e.g. /userinfo) or an API you define in Auth0.

WEBAPP: An id_token is a JWT and represents the logged in user. It is often used by your app.

CONSOLE/MOBILE APP : A refresh_token (only to be used by a mobile/desktop app) doesn't expire (but is revokable) and it allows you to obtain freshly minted access_tokens and id_token

My question still remains the same? If the webapp or console app requires the claims, should we need AuthToken?

Update:#2 https://www.youtube.com/watch?v=M4JIvUIE17c

Solution

  • Please note that, access tokens are used to perform actions like authentication and authorization to protect the web APIs.

    ID tokens are generated by authorization server and contains the claim of the user information, and these claims can be used for the UX in your application.

    AFAIK as your application sends the AuthToken with each request you can use the same token to get Email claim.

    Make sure to add email API permissions like below:

    Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your App -> Api Permissions

    enter image description here

    Try to give the scope = api://{app id of the AAD app which represents the web api}/.default openid as mentioned by Allen Wu in this SO Thread.

    I tried to generate an access token with above scope and got the claims successfully like below:

    enter image description here

    Please note that, you can get the email claim either by using AuthToken or IDToken.