I am building an app which has backend services (API) and also a frontend (UI) to manage the overall application.
There are other UI applications which will integrate with the API to use the product. These applications are registered under different Azure AD apps (App2) and are also secured by SSO.
Both App2 and App1 are in the same Azure Tenant.
My question is, If a user logs into App2 and gets a ID token and sends the ID token in the header of the API call to App1, can we verify the validity of the token in App1? If yes, can you share some code samples?
If the other UI applications are using SSO with Azure AD in the same tenant, I would like to have them send the ID token, otherwise a client credential grant flow(AccessToken) would be acceptable.
I am in the design phase of the application so I have not written any code to verify if it is possible. I saw a few code sample which talked about validating via private keys, but I do not think private keys of one app will be accessible to another app. I am trying to figure out the best way to authenticate users when there are multiple Azure AD app registrations involved.
An ID token will have the "aud" field to indicate who the intended audience of the token is. If an app gets a token and the "aud" field does not match its own application id, then the token must be rejected.
So, the token from from app cannot be used in another app. https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens