Scenario: Web app that calls web APIs
Learn how to build a web app signing-in users on the Microsoft identity platform and that calls web APIs on behalf of the signed-in user.
Before reading this article, you should be familiar with the following concepts or read the following articles:
- Microsoft identity platform overview
- Authentication basics
- Application and service principals
- Permissions and consent
- ID tokens and access tokens
This scenario supposes that you've gone through the following scenario:
You add authentication to your Web App, which can therefore sign in users and calls a web API on behalf of the signed-in user.
Web Apps that calls web APIs:
- are confidential client applications.
- that's why they've registered a secret (application password or certificate) with Azure AD. This secret is passed-in during the call to Azure AD to get a token
Adding sign-in to a Web App does not use the MSAL libraries as this is about protecting the Web App. Protecting libraries is achieved by libraries named Middleware. This was the object of the previous scenario Sign-in users to a Web App
When calling web APIs from a Web App, you will need to get access tokens for these web APIs. You can use MSAL libraries to acquire these tokens.
The end to end experience of developers for this scenario has, therefore, specific aspects as:
- During the Application registration, you'll need to provide one, or several (if you deploy your app to several locations) Reply URIs, secrets, or certificates need to be shared with Azure AD.
- The Application configuration needs to provide client credentials as shared with Azure AD during the application registration