I have the following script:
1.- Azure web api project that I want to protect against using Azure AD (I am not against Token, cookie, no matter how much it matches the whole scenario)
2.- The Azure website at asp.net MVC, also protected by Azure AD. This website should call the web api controller with SSO (I use the same Azure AD in the whole scenario)
3.- Some JavaScript code running on a page in SharePoint Online also calls the web api controller in any safe way (Office 365 tenant also uses the same Azure AD). If you don’t know about SharePoint, let's say I have a SPA project where I can only use Javascript and html (without server side code).
Following some MS Azure AD samples and some blogs from Vittorio Bertocci, I can get points 1 and 2, working fine using OWIN and Oppen IDs. However, it seems impossible to reach point 3. Since I'm inside a page in SharePoint Online, I can only use javascript, not server-side code. I would like to get a valid token for the current user who is already registered in the SP, and remember that SP uses the same Azure AD as the api website. Can I call Azure AD and get a valid token, only from the client code?
I am open to any possible solution. I can do everything in a web avi project. If you think in a SharePoint application with appPart, and appPart calls the web api from the server-side code, I agree that this will work, but this is an option that is currently prohibited :(
.