Which one to use ID token or access token while calling backend API?

Question

From Azure AD documentation I understand that ID token is for authentication and access token is what you send to the backend API for authorization.

But I have several APIs which gives response based on the roles of the user who is logged in. I have configured the roles in the Service Principal under App roles as seen in the below picture.

And when the user authenticates, the ID token contains the roles as seen below.

Currently, I send the ID token in the Authorization header and then the backend decodes and validates the token and based on the roles, it sends appropriate response.

But I was not able to find any documentation to justify this solution. If there is a better/proper solution on how to implement this, please do guide me! Or is there a way to send roles from access token?

Answer 1

Note that: You have to make use of access token to call the backend API. Refer this blog by Maria Paktiti.

If you want the roles to be present in access token, then try the below:

Created a Microsoft Entra ID application and added app role:

Now, I assigned the role to the user in Enterprise application:

And granted API permissions:

Generated access and ID tokens like below:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID  
scope:api://ID/.default openid offline_access
grant_type:authorization_code  
code:code  
redirect_uri:https://jwt.ms
client_secret:Secret

When I decoded the access token, role is displayed:

Even in the ID token role is displayed:

Hence, to have role-based authorization you can make use of access token.