How to validate Microsoft Graph API jwt access_token and secure your API?

Question

Scenario:

I have an angular5 client application, which uses hello.js to authenticate users using their office 365 credentials.

Client Code:

Answer 1

Yeah, this took a bit to work through. For anyone else researching this, here's my understanding.

You don't use the Microsoft Graph API to secure your web api. Instead:

1. The client continues to use the Microsoft Identity Platform to authenticate.

2. The client uses the resulting JWT access token to call the Web API as normal for OAuth 2.0 flow

3. The web API uses JwtBearerAuthenticationScheme, setting the authority to the Microsoft identity platform. See this example and search for JwtBearerAuthenticationScheme.

4. The web API uses the provided access token to obtain an 'On Behalf Of' user token.

5. The web API calls the Graph API using this 'On Behalf Of' token. This token has a different lifespan than the token the client obtained, and refreshes must be handled separately.

This is a very distilled version of this example. Disclaimer: I haven't put this into practice yet.