OpenId Connect, Query Microsoft Graph

We have a .Net Web Application that uses Single Sign On implemented by OpenID Connect to create an ID token and log a user in. Specifically Microsoft.Owin.Security.OpenIdConnect and Microsoft.IdentityModel.Protocols.OpenIdConnect

I now have a requirement to query Microsoft Graph API via JavaScript.

In order for me to query Graph API I assume I need an Access token (plus I want to be mindful of token expiry and refresh).

What is the recommended approach to get from Single Sign On producing an ID token on the backend to querying Microsoft Graph API via JavaScript on the front end? Ideally I wouldn’t put an proxy/pass-through API inbetween to get an Auth Token on my behalf.

Answer

I figured it out.

The main application uses OpenID Connect to establish an ID Token. I then use MSAL.js to silently login utilizing my already established SSO session.

This is the sample I followed:

https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-browser-samples/VanillaJSTestApp2.0/app/ssoSilent

I then can acquire an access token to query Graph API.