how multiple azure apps can use the same jwt token for authentication

Question

We have two RestAPIs which are hosted in azure Kubernetes. These APIs use Azure Apps for authenticating users through SSO. We are planning to get the token from one api (which is connected to its own app) and use it in the other API (which is connected to another app). Is there a way to achieve this goal? currently the token generated in api1 is not valid in the api2 and vise versa. For APIs we are using this configuration. Hope my question is clear, please let me know if I need further clarification.

User impersonation and scope (more details are here)

We are using access_token and oath2 This is a very similar to mine but we are not planning to access Azure resources, so not sure if the answer to this question still holds for our problem.

I came across this but not sure if this is the best solution or even a solution.

To clarify, all the azure apps, and APIs are in one tenant.

Answer 1

I agree with @Jack Jiang, you can make use of On-Behalf-of flow to achieve your scenario.

I created three Azure AD Applications for sample webapi1 webapi2 webapi3.

In webapi1, I added below Api permissions:

In webapi2, I added below Api permissions:

I generated access token for webapi1 using below parameters via Postman:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:webapi1ClientId
scope:api://webapi2ID/webapi2.read
grant_type:authorization_code
redirect_uri:https://jwt.ms
code:code
client_secret:ClientSecret

Using the above generated access token, I tried to call webapi3 Api like below:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:webapi2ClientID
client_secret:ClientSecret
grant_type:urn:ietf:params:oauth:grant-type:jwt-bearer
assertion:access_token_generatedabove
requested_token_use:on_behalf_of
scope:api://webapi3ID/webapi3.read

Otherwise, you can make use of Client Credential flow to call the Apis.

Reference:

Microsoft identity platform and OAuth2.0 On-Behalf-Of flow - Microsoft Entra