I have an Angular SPA that already has an authentication/authorization system built on top of OpenIddict. It has been working just fine. We have a new client requirement to add the possibility of SSO through Azure AD (connecting to a specific company tenant's login page). I have temporarily removed the old authentication/authorization system and have substituted a system based on MSAL (in the front end) and Microsoft Identity (in our .NET 6 web API server). That also works just fine as long as I turn off page/controller method authorization (beyond a "are you a system user" level).
What I want is a unified back end that will allow me to use the fine-grained system of authorization that we have for various pages/controller methods regardless of whether a user logs in locally or through the SSO/Azure AD. What I don't understand is whether this is possible through some nice, clean, best practice combination of Microsoft Identity/Azure AD and OpenIddict or if I will have to hack something together depending on which kind of token I receive in the back end. I haven't found any examples online of anyone trying to do exactly what I want to do.
My first question is whether what I want is even possible. Are there any examples online that show this? If there are no examples online, how would OpenIddict be configured to receive an Azure AD-originated bearer token? Thanks for any advice you can give.
