{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 女痞 的问题《Azure AD Auth with Angular and .NETCore2 WEBAPI》','https://www.manongdao.com/q-931049.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I want to add authentication to my app using Azure AD
Right now my flow is like
User -> AngularApp -> Azure Login -> AngularApp w/token -> API Call to backend w/token -> API Backend verifies token with Azure each call
I have following questions:
- Is there a better way to do this?
- Every API call is verified with azure. Is is required?
- Should i have two different client id for UI and API?
This is the standard way.
Your API back-end does not verify the token with AAD each time. It downloads the public signing keys for Azure AD at startup (if you use standard components), and verifies the token using them.
When you make a v2 application through the new App registrations experience, you can define the front-end and back-end API in a single app quite nicely. You can also define them as separate apps.
What do you mean better? (less redirects?)
What you describe is a standard OpenID Connect flow that is used all over web right now. Whenever you are using your google, facebook, github login to log to some other page you are using that standard.
It is pretty secure and easy way of doing authorization/authentication on the web these days.
A little side note make sure that the token is valid for appropriate amount of time.