OpenId Connect accessing both graph api and on prem resource with single login

Question

Trying to get a ASP.NET web application to access both a local resource and graph api using a single login. The environment consists of a on prem adfs as well as a Azure AD instance that is synced and federated against on prem ad. I have the following working.

1. Configure the application to use OpenId Connect authentication against Azure AD with a client configured in azure ad. The user authenticates and i receive a authentication code that i can use to get a token to call graph api successfully.

2. Configure the application to use OpenId Connect authentication against ADFS using a client_id configured in ADFS. The user authenticates and i get a authentication code that i use to get a bearer token to call the local resource.

However i cannot find a way to get access to both the local resource and graph api with a single login. Is this at all possible? Could someone point me in the right direction?

Answer 1

You can use a Delegated token which contains both a valid Client and User.

See the documentation and Stackoverflow thread.

If it is just read-access and not write-access then what you are describing should be possible.