Protecting my own Web API?

[georgejdli]

I went through this sample and was able to access the Graph API.

I have a use case where I would like to protect my own web api by verifying the same Bearer token obtained with this flow.

My web api is using Node.js and I tried using passport-azure-ad middleware with the BearerToken strategy to protect my routes. However the token generated with PKCE flow does not seem to be compatible with the JWT verify logic from passport-azure-ad. I get an error saying the JWT has an invalid signature.

Are there any samples with Node.js where I could protect my own web apis using the Auth token obtained from this PKCE flow?

[georgejdli]

Nvm after some digging I realize I need to get a different token with a scope specific to my application registration ("/) if I want to use the passport-azure-ad BearerStrategy to protect my web api routes.

Key difference in the tokens generated seems to be the "aud" claim. For the Graph API scopes it was something generic like "0000000-03....", and that seems to have caused issues with the JWT signature verification?

[derisen]

@georgejdli that's right -glad you were able to solve your issue. We do have a web API sample using passport-azure-ad if you would like to take a look.