I am using the angular-oauth2-oidc library in Angular to login via the PKCE Authorization Flow and then passing the token to my back end to secure my custom API.
The Spring boot back end is acting as the oauth2 Resource Server and securing my custom API's using the token.
SecurityConfiguration.java
http.cors().and()
.authorizeRequests().antMatchers("/home").permitAll()
.and()
.authorizeRequests().antMatchers("/actuator/health").permitAll()
.and()
.authorizeRequests().antMatchers("/**").authenticated()
.and()
.oauth2ResourceServer().jwt();
By default, Azure AD returns a valid JWT token only for Graph APIs. If you want to use the Azure AD OIDC authentication for your own API, you are dealing with a non-compliant provider. Thus I created a custom scope in the App Registration → Expose an API page. Then I added this scope in the authorization request initiated by my Angular client along with the default openid scope.
Now that I have this token, which no longer contains the ‘nonce’ in its jwt header (which I needed to do to secure my custom api), how do I go about using this token to get a new token? and then follow the On-Behalf-Of flow to create my graph api calls.
Is anyone able to guide me in the right direction on how to exactly get the 2nd access token?