In my previous post (Securing NodeJS REST with Azure Active Directory), I showed how using a tool like Postman, we could access a secured REST resources that are restricted to only user accounts in Azure Active Directory (AAD). Using Postman and/or curl is a good way to illustrate the concepts. I also mentioned that whatever can be done in Postman, we can write code in any language to do the same thing.
This post will show how I would do for a web app client. Recall the first step is to “login”. I put “login” in quotes here because we don’t really login, we just send a POST request to an AAD OAuth endpoint. What we get back in the response is an access_token (also refresh_token and other things). Then to access the secured resources, requests have to include the access_token (in the bearer scheme) in the Authorization attribute of the request headers.
So the work here involves a pair of HTTP requests. The first one has to finish before the second one can start. The first request gets the access_token and the second one takes this access_token and places it in its request headers.
Here’s the solution using just Promise:
Using promises are way better than using callbacks. Anyhow, here’s the RxJS version: