I have a Vue site hosted on Azure Static Web Apps. It does not utilize the supported API endpoint via Azure Functions. Our backend APIs are hosted on App Service instead and they are often put in a VNET that peers to ExpressRoute to access on-premise resources.
Since we don't want anyone on the internet to call our APIs on App Service (example.azurewebsites.net), we put them behind APIM Basic tier and set access restriction to accept connections from APIM's IP only.
Since this is a static web app, we have to place APIM Subscription Key in the code hence visible by everyone. Normally we would implement Azure AD authentication via Microsoft identity platform to authenticate our users to our app (either implicit grant flow or auth code flow). This procedure receives access_token that contains user's information like names and email that we can use in our app. The by-product of this is we can pass that access_token to APIM using Authorization header and APIM can validate this token automatically hence the app can call our APIs.
We are evaluating the built-in authentication and authorization feature in Azure Static Web Apps, hoping that the user authentication development will be easier and quicker. It is indeed easier, we just redirect our users to /.auth/login/aad and everything is handled by the app. However, as we inspect the response from /.auth/me, it shows only identityProvider, userId, userDetails and userRoles.
How do we authenticate APIM calls if we use this authentication feature? There is no access_token received.
Another thing is that since we receive only userDetails which is email address in this case, how do we authenticate to Microsoft Graph API to get user's full name and other information?
Is what I am trying to achieve possible with the built-in authentication feature? Or do we still have to implement the authentication ourselves? Is there any workaround to avoid implementing this ourselves? Using the built-in authentication feature is super easy, only if it could also return access_token to us and it would be nice if it handles the token refreshing for us as well.
Extra question: I have just noticed that userId value is not Object ID of that user on Azure AD. Where does userId value come from?
Thanks.
