I'm by no means an expert on MSAL/JWT/Graph authentication, but I'm hoping someone can explain this issue more clearly to me, or help me understand if there's a workaround or better approach.
Essentially, there are certain scenarios where I might end up with a Microsoft Graph JWT token. Two examples I can think of easily are using the Microsoft Graph Toolkit or using Tabs SSO in Microsoft Teams. In both cases, I can get relevant identity information for the user from the JWT token I would have already (via Graph Toolkit or via Teams SSO) - their Azure AD Object Id and their Tenant Id. However, I can't use that same token to my own backend API, because, from my research, I can't perform basic token verification against that JWT token. I'd like to be able, for example, to store information against that user and tenant Id combination.
I do understand that I can do my own authentication (e.g. MSAL.js), and I can even use the SAME Azure AD Application by extending its use, but it would be much easier to simply use the token I have access to already, if there was just a way to validate it. In Teams, as an example, the SSO user experience is nicely integrated, but I'd need to put the user through ANOTHER signin, potentially even for the SAME Azure AD Application. [Update: so technically it's not another 'sign-in' - the user is signed in already, hence 'SSO', but they need to consent again, in this case against the very same app they consented to a moment before].
So, my question is, is there any way to safely verify the existing token?
