Currently there is feature request in feedback.azure.com for getting JWT Tokens forwarded into the back end.
There are at least two scenarios for such request. I am taking some shortcuts here, and assuming that in most scenarios this is an access token, similar to the one that is issued and sent with Native Clients in Authorization: Bearer … header
- Browser clients using XHR / Fetch
- This seems to work ”out-of-the-box” as the browser session is ”authenticated” with session data held in the session persisting cookies
- I am using an example where the back-end service supplies the client per client side chained fetch() requests with any Access Token. This token is then sent back to back-end and displayed in the back end. This is to prove, that Azure AD application Proxy doesn’t strip the bearer token form Authorization header
function getToken () {
fetch('/refreshToken').then((response) => {
response.json().then( (data) => {
console.log(data['access_token'])
var token = data['access_token']
fetch('/caller',{
headers: {
'Authorization': 'Bearer ' + token
// 'Content-Type': 'application/x-www-form-urlencoded',
},
}).then( (response) => {
response.json().then((data2) => {
console.log(data2)
})
})
})
})
}
- Native clients outside of web view sending the Access Token destined for AppProxy itself
- I am excluding native client using web view like scenario where a browser is ”conjured” in the app. In which case I’d assume that web view would behave similarly as the browser example (mostly?) and successfully send the token to the back-end
- This doesn’t work (And per explanation in the feature request, that’s by design), but alternative ways are available, which I’ve previously explored in another post
SecureCloudBlog 
0 comments on “Azure AD App Proxy|Forward incoming JWT token to backend service: What are my choices?”