Net core application. I have three applications registered in azure ad.
- React SPA application
- Web API Gateway application
- Protected API application
Whenever user logs into SPA application, Redirecting to Azure AD with implicit flow to get access token. I have received access token as below and used to access apis from gateway layer
{
"aud": "7851c317b-87e7-4cb3-95f0-37cb52b6f873",
"family_name": "alex",
"given_name": "fernandes",
"hasgroups": "true",
"roles": [
"Admin"
]
}
In the above token aud is client id of the spa application and other few details I added but not all the details.
Now I want to call Protected API application from Web API Gateway application
I am trying with sample http request in postman as below.
Request - https://login.microsoftonline.com/45fgh-f30d-4596-gt67-7045b338485a/oauth2/v2.0/token
Body
{
"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer"
"client_id": "" //unknown client id of SPA or API GateWay or Protected API
"client_secret": "" //unknown client id of SPA or API GateWay or Protected API
"assertion": "Above token"
"scope":"" //unknown
"requested_token_use" : "on_behalf_of"
}
Along with above confusions, just wondering Is there any configurations required in azure ad in order to generate token for Protected API. One more thing is the token generated to access Protected API does that token have user details and role details same as above token generated by SPA?
Can someone help me in configuring On behalf of flow? I am struggling here to get this done. Any help would be appreciated. Thank you