We are running a web-app that aggregates data from a lot of providers (Graph, SharePoint, O365 and many other consented aad-based apis.
We route the calls to the respective upstream in our APIMs (Get OBO token and forward the request to upstream).
Our expectation was that the AAD token exchange will be very fast (~200 ms). But we are seeing that it takes around 900 ms on an average.
Since the requests are going from APIM (which doesn't have ADAL Cache), multiple requests from one user to one upstream (say Graph API) gets exchange token (OBO token) several times (for each api hit).
We are thinking of adding a Redis cache to the APIM to cache the tokens.
Before we do that, would like to hear from the experts here,
What is the best way to optimize fetches of multiple OBO tokens. (Eg: Is there a way to fetch more than one OBO token - SharePoint Token, Graph token etc, in a single request to AAD ?
In APIM, what are the token caching best practices. If we add external cache to APIM, what other security measures to be deployed.
Is there any best practices to get the OBO token within 200 ms ?
Thanks in advance