Support for access token with the token binding (UserFromAccessToken option)

[baywet]

I'm working on the following project:

• front end application build with SPFx 1.7.0, leveraging the aadHttpClient (if you're not familiar, it bakes in consent, grant, token and adds the Auth Bearer header to any requests providing a fetch client)
• Azure function (http trigger) secured using the platform authentication options (AAD)
• Azure function also has a [Token(Identity = TokenIdentityMode.UserFromRequest, Resource = "https://graph.microsoft.com")] string graphToken input binding.

At this point my assumption is that the authentication platform layer (easyAuth) is supposed to take the bearer jwt token coming in, validating it against the configured setting, and passing it as the X-MS-TOKEN-AAD-ID-TOKEN header to the underlying layers.
Then the input binding is looking for that to trade that token in for a token that works for the requested resource.
First question: are those assumptions/this understanding valid?
Second question: For some reason I never get the X-MS-TOKEN-AAD-ID-TOKEN header when the function is called. I tried some workarounds like injecting it manually, to the original request, it feels like a hack but works during local debugging. However this doesn't work on an actual azure function environment. Am I missing any configuration?

[baywet]

Ok re-reading the documentation I noticed a detail I previously missed: the current implementation is expecting an id token when the aadhttpclient sends in an access token.
Are there any plans to support access tokens?

[baywet]

It could be a simple implementation looking like this https://stackoverflow.com/questions/53320105/how-to-use-msal-to-get-access-token-on-behalf-of-a-user-using-aad-v1 and relying on the X-MS-TOKEN-AAD-ACCESS-TOKEN instead

[ConnorMcMahon]

In the near future, there are plans to revamp the token binding to support all EasyAuth supported authentication methods for AAD, including Server-directed flow (browser login), client-direct flow (X-ZUMO-AUTH tokens) and bearer tokens for AAD.

Note that this might be a breaking change when we release these.

[baywet]

should I leave this issue open or is it a duplicate of something else?

[ConnorMcMahon]

I would leave it open as an issue. I might make another issue once we have settled on the exact design for the revamp, but if/when I do that, I will mark it as a duplicate then. This gives some good visibility for someone trying to accomplish something similar as of right now.

[pkskelly]

@ConnorMcMahon Any update on timing for the changes mentioned above? I am doing something similar to @baywet and running into the same issue. I can obtain the openid information for the user from the ClaimsPrincipal, but no X-MS-TOKEN-AAD-ID-TOKEN is included.