I am developing an API to authenticate with Azure Active Directory and a GUI to draw from it.
The GUI will be implemented as a Single Page Application (SPA) and the API will be executed from this SPA.
Both the API and GUI will be authenticated with Azure Active Directory.
I would like to know what is a good practice in this kind of pattern. When registering an application with this kind of configuration on Azure Active Directory, should the GUI and API be registered as different applications?
It seems to me that registering them as the same application (same client ID for API and GUI) would not cause any problems if we only look at the behavior.
We would like to determine whether we should separate the GUI and API as applications based on practices (e.g., from a security perspective, etc.).