SPA - EntraID and API

[pelord]

Hi.

I develop a SPA which login is based on EntraID entreprise app.
EntraID app issue several informations, accesstoken, idtoken and much more properties... These are stored into my local storage.
My SPA, which is a map, use a protected API (map service), called on each user zoom or pan.

The SPA is able to pass to the API a token (Autorization: Bearer ...[tokenHere]...) on each call.

Here the questions.
Does this module can be used to protect an API receiving multiple calls without triggering the EntraID login on each call?
Does this module can strictly validate with EntraID the informations received from the SPA ?
Does this module require more properties from the SPA, i.e. more info than the bearer token?

[pelord]

@amrvka Is it the same issue?

#1278

[amrvka]

Hi @pelord,

my problem in #1278 was that i used a wrong client_id from app registration which did not find the website i tried to open.
therefore the token did not match.

it seems after digging a very long time i've forgotten to mark it as solved.

As fas as i understood, the plugin authenticates a login flow.
If you send a bearer token to the plugin, the sent values and encryption mechs will be validated with EntraID.
This server connects to EntraID.

Depending what's your environment and requirements - you have to configure additional values.
see: https://github.com/OpenIDC/mod_auth_openidc/blob/master/auth_openidc.conf

greetings