twebauth-question/24157

In my last post in twebauth-question/24157 thread, before it was closed, I have asked some additional questions. Any feedback?

Hi,

Exposing the requested properties in TMicrosoftUserData is something we can do in a future version, when we have time to allocate on the component.

I don't think any of the responses return an IP address, so which JWT are you referring to?

Do you have a source for this that we could look at? The sample project for JS access doesn't mention anything about it.

I think you are using access_token to query user properties from graph, which is where this subset is coming from. But id_token itself may contain tons of additions details - it's configurable in Azure.

Here are two good videos about BFF:

alert‘OAuth 2 0’; // The impact of XSS on OAuth 2 0 in SPAs

Using the BFF pattern to secure SPA and Blazor Applications - Dominick Baier - NDC Oslo 2021

The idea is basically that the user/browser send the "code" to the server and the server gets "id_token" and whatever else itself, so it never crosses the browser. This deviates from the common approach and would cause issues for some SPA's, but with something like XData in the background doing this, the client web application can still make use of these tokens indirectly through it, essentially delegating such requests to the server.