Earlier this year the Microsoft Identity Platform team shared new guidance that recommends using the OAuth 2.0 Authorization Code flow for browser based web applications. The reason for this is that new browser security changes are going to cause problems for the commonly used implicit grant flow pattern.
Although I found plenty of great code samples and quickstart material for using the authorization code flow with graph API, it took me a while to figure out how to use it against an ASP.NET Core Web API. The goal of this post is to provide an end-to-end setup guide with source code for the protected web API resource scenario that uses RBAC roles.
Azure AD and the Microsoft identity platform have well established patterns and support for this workflow. In this blog post I will break down an end-to-end example that includes enabling this flow for AAD users with the following technologies: an Azure AD App configured with role-based access control (RBAC) claims, client side code leveraging React and ADAL.js, and server side code leveraging ASP.NET Core.