What are the best practices for SSO (single sign-on) in the frontend with OAuth 2.0 using authorization code flow with PKCE and accessing the Graph API in the backend?
Earlier I was using react-adal and the implicit flow to retrieve a token in the frontend and access the backend with that. The backend uses the azure-active-directory-spring-boot-starter Library. After the request the backend accesses the Graph API to get needed Information. It was a Web Application in Azure AD.
Currently I access the id token and the access token in the frontend with the msal-react. So this means now I'm using the SPA (single-page application in Azure AD) with authorization code flow. In the frontend I retrieve both: the access token and the id token. To access the backend I need the id token. But I need the access token too, so that the backend could access the Graph API. I don't think this is a good idea to send both of them in Header or to send it at all. Both the frontend and the backend use the same Azure Application. The backend has a Secret. Important is that I do not need the frontend directly access the Graph API. But is this a good approach to send both the id token for the backend authentication and the access token to access Graph API on the backend side?
