What are the steps that will happen in the background while validating an Azure AD issued Bearer Token - Microsoft Identity Platform?

Question

The examples I find online on this topic only instructs the configuration code used in the Startup.cs class. I could not find details as to how this configuration helps to validate the bearer token received by the API. Does the API contact Azure AD in order to validate the token?

I am curious to understand what happens behind the scenes when token validation happens at the web api. What does this one line code do services.AddMicrosoftIdentityWebApiAuthentication(Configuration); to validate the token? does it make contact to Azure AD to validate the token ? what are the steps that will take place in while the api validate the bearer token?

I have no issues with running the code. it perfectly works fine for me but I could not find the underlying mechanism / steps of token validation. Any help will be highly appreciated.

    public void ConfigureServices(IServiceCollection services)
    {
        services.AddMicrosoftIdentityWebApiAuthentication(Configuration);
        services.AddControllers();
    }

    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        app.UseAuthentication();
        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllers();
        });
    }

Answer 1

The API will not contact Azure AD, this method AddMicrosoftIdentityWebApiAuthentication calls AddMicrosoftIdentityWebAPI, it instructs the middleware to validate the token by TokenValidationParameters, i.e. the claims in the access token, specifically as this doc mentioned, you can also custom the validation with the claims you want to validate, follow this.

This is the Azure AD middleware with the built-in capabilities for validating access tokens, no matter use this middleware or validate the access token by yourself, the flow is the same, validate the token's signature and issuer against the values in the OpenID discovery document, then validate other claims e.g. aud,Sub,etc. You can also docode the access token in https://jwt.io/ to see it directly to help you understand. And different API may have different validation rules, for example, tokens for Microsoft Graph won't validate according to these rules due to their proprietary format, details here.