Difference between AD token obtained using ADAL & ADAL JS

0
votes

I have a unique scenario where the authentication is done against Azure AD using Open ID Connect middle-ware, now once the application is authenticated and session established, I would need to make AJAX calls to WebAPI services sitting on the same server.

I'm planning to return the Id/ access token's cached on the server back to the client and store it in session storage.

Is there any security implication with this approach, I mean is there any difference between token obtained through ADAL JS or ADAL?

1
adaladal.jsazure-active-directory

1 Answers

2
votes

I don't recommend doing so. Access and ID tokens obtained by a confidential client are different form the ones obtained by a public one, and in Azure AD tokens issued via implicit flow have extra differences because of heuristics aimed at containing their size. There is a cleaner solution to your scenario. Once you signed in using OpenID Connect, your browser has a session cookie with Azure AD. If you inject in your pages a hidden iframe, and you use that iframe for driving implicit grant requests for tokens via javascript, you can have your JS frontend obtain its own tokens without having to circulate tokens acquired elsewhere in your topology. This is exactly what ADAL does for renewing tokens and for getting new tokens after sign in. Unfortunately we have no samples for this approach, but you can examine ADAL JS' source to see how that works.