I am currently struggling with some web applications I would like to have protected with an Azure Login. The applications are running as Azure Web Apps in a dedicated VNET and VPN tunneled to our on-premise network. Only users within our directory are allowed to log in to the application. Most of the applications consume multiple different protected backend APIs. Some of the backend APIs might also have to make request to other APIs.
For an example client application I used the following configuration:
When now a user logs in to the application, I need to get a token by using the received refresh token and the right scope to access a certain API. If the API then needs to make a call to another protected API, I somehow need to get a valid token with the new scope. As the first API only gets the access token in the header, the API cannot request a new access token with the suitable scope for the second API.
How can I do to solve this issue? Is it even possible to make nested API calls on behalf of a user logged in to the top level client application or do I need to make these API calls on behalf of the API itself?
It is possible with the on-behalf-of flow: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-on-behalf-of-flow.
This flow exchanges the access token received by the API + the API client credentials for another application's access token. The new token will also contain the user's information.
I would recommend using libraries like MSAL to handle this flow so you don't need to worry too much about the details of the protocol.