Need a bit of guidance on implementing Entra authentication
I am lost in tons of documentation and can't figure out how to properly implement authentication with Entra on the backend.
We are developing a new internal web application that has a NextJS frontend running in an Azure App Service Docker Instance with a NestJS backend also running in App Services with Docker
The backend is getting content from Microsoft Graph API in the background, processes it and stores it in an Azure Cosmos DB. This part is already working using notification subscriptions on the processed data with MS Graph.
The colleagues implemented the frontend MS Entra auth with Next-Auth - that part is also working. Now I don't now how to obtain the token and how to validate it in my backend so that only users with a certain active directory role are permitted to fetch data from the NestJS API app's database
The NestJS middleware part is clear to me. But how do I verify the Entra access token? It doesn't seem to be a JWT - what is set in the cookie is a string of the form ey[...] that has 4 dots (JWTs usually have 3)
From what I googled so far, this is called an opaque access token.
How do I
- validate and verify it
- use it to authenticate the user at my API (what code do I need to implement before I can return true in my NestJS Guard) - I guess I need to send the token to some Microsoft API to verify it?
- what do I need to keep in mind? How long can I assume that a token is validated?
- How can I implement RBAC inside my API using that token (e.g. where in the Token do I find the claims that state which groups a user belongs to?)
- What security best practices do I need to follow when handling access tokens (aside from using HTTPS)