@PaulAzure-8925, The most important thing to keep in mind when implementing Azure AD authentication using OAuth2.0
Which type of Auth Flow you would like to use?
Ans: Mostly people use either the Authorization Code Grant Flow or Implicit Flow of OAuth2.0 to acquire an Access Token which can be used by the application to make further api calls or access resources. In case of Single Page Apps, mostly Implicit flow is used and for Asp .net or .net core, Java etc usually uses Authorization Code Grant Flow.
Azure AD has two main endpoints which utilizes OAuth2.0:
- /authorize ---> This endpoint provides the the authentication page[to enter the username and password] and returns the "code" or "id-Token" or both as per the request sent.
- /token ---> Once the dode is received from the previous endpoint, its posted on to the "/token" endpoint to get an Access Token.
More on these OAuth2.0 flows can be found here.
Now coming to the second query of yours "Can I reuse this Token for calling API with same Token in header which is also protected with same "App Reg 1" ?"
Yes, you can use the same access token multiple times [until the access token expires] to request for the same resource. As an access token is always issued for a particular resource. for eg: You request for an access token for Graph Api then, you can use this access token [for 1hr] and make multiple Graph API calls
You can also check the following samples:
- For AngularJS app using ADAL library: https://video2.skills-academy.com/en-us/azure/active-directory/develop/quickstart-v1-angularjs-spa
- For Angular app using MSAL: https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/MSALAngularDemoApp
Hope this helps.
---------------------------------------------------------------------------------------------------------------------------------------
Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!