I would like some clarification on how to use ID tokens and access tokens in an implicit grant flow. I have an Angular SPA using MSAL.js for Angular package and a Web API. The API does NOT call any external services, like MSFT Graph. The back end uses role claims from JWT to establish RBAC authorization to our API functionality only.
This doc says: https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens
id_tokens are sent to the client application as part of an OpenID Connect flow. They can be sent along side or instead of an access token, and are used by the client to authenticate the user.
ID Tokens should be used to validate that a user is who they claim to be and get additional useful information about them - it shouldn't be used for authorization in place of an access token.
This doc shows an authentication flow where a web API is called with an ID token instead of an access token: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
This sample code sends ID token too (calling own Web API sample): https://github.com/Azure-Samples/active-directory-javascript-singlepageapp-dotnet-webapi-v2
The sample back end validates ID token audience against Client ID of the app that issued it.
Given our API is the only consumer of tokens, should we use ID tokens or access tokens?
aud
claim of the access token will have the client ID of your API (i.e. the app ID of the app registration for the API). This will only be the app ID of the client when you're using the same app registration for both the frontend and backend. In all cases, the token your frontend is sending to the API is the access token, not the ID token. MSAL does not make API requests to your backend. When calling any of theacquireToken...
functions, MSAL will return an access token to he used by the application's code when calling the backend. – Philippe Signoret