I have a Microsoft Teams tab app which uses SSO for authentication. The way we authenticate an incoming user is something like this:
- Acquire the id_token using the adal javascript client library
- Use the on-behalf-of flow to exchange the id_token for an access_token. The way I do this is, send the id_token to my NodeJS backend over REST API query string and then receive the access token as a response
What I'm concerned with is, the visibility of the id token in the browser inspect window. Is this a recommended approach in the fist place? If not, is there a better way to get the access_token without passing the id_token in a query string to the backend? Also can we acquire the access_token (using id_token) directly from the browser without involving the backend? If yes, is that a safe approach?
