I have a ASP.NET Web Forms site where users will login using Azure Active Directory. As a client it calls Asp.Net Core Web Api site, that will return some information depending on customer roles. The approach is similar to https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect-aspnetcore sample.
Each application in the sample has it's own Azure Active Directory application. My application has quite a few application roles and maintain them in both applications can be annoying and error-prone. I want client and service to use the same AAD application to avoid maintain the same roles in 2 AAD applications.
I haven't seen such architecture in examples, is any problem with such approach?
I tried to implement it and received a "promising" error, that "scenario is supported".
AADSTS90009: Application is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier.
Unfortunately I don't understand how to specify resource "using the GUID based App Identifier". In the request I already using GUID resource=https%3A%2F%2FMyDomain.onmicrosoft.com%2Fe0a25761-XXXX-XXXX-XXXX-2aefc7e3134d
Advice to change some GUID on MS Forums thread https://social.msdn.microsoft.com/Forums/azure/en-US/3de0c14d-808f-47c3-bdd6-c29758045de9/azure-ad-authentication-issue-aadsts90009?forum=WindowsAzureAD#cf3986f5-3422-44d1-bcb7-3a4201f68fa2(I asked for clarifications there) also is not clear.
So my question is: Can I share the same AAD application between client and Service, and, if yes, how to do it?