实际上，经过一番阅读后，发现将SPA连接到Azure AD需要OAuth 2.0隐式授予流程。 Microsoft文档说：

Actually, after a bit of reading, turned out that connecting SPA's to Azure AD requires OAuth 2.0 Implicit Grant flow. The Microsoft documentation says:

在这种情况下，当用户登录时，JavaScript前端
使用用于JavaScript的Active Directory身份验证库（ADAL.JS）
和隐式授权授予，以从Azure AD获得ID令牌（id_token）
。令牌被缓存，客户端在调用其Web API后端
时将其作为承载令牌附加到
请求，该令牌使用OWIN中间件进行保护。

In this scenario, when the user signs in, the JavaScript front end uses Active Directory Authentication Library for JavaScript (ADAL.JS) and the implicit authorization grant to obtain an ID token (id_token) from Azure AD. The token is cached and the client attaches it to the request as the bearer token when making calls to its Web API back end, which is secured using the OWIN middleware.

因此，我需要将 id_token 本身发送给后端API，这又可以被验证和使用。有关验证的更多信息，请参见此处：

So, it's the id_token itself that I need to send to the back-end APIs, which in turn can be validated and used. More info about validation is given here:

仅接收id_token不足以对用户进行身份验证；
，您必须根据应用要求验证id_token的签名，并在
令牌中验证要求。 v2.0终结点使用JSON Web
令牌（JWT）和公钥加密技术对令牌​​进行签名并验证
是否有效。

Just receiving an id_token is not sufficient to authenticate the user; you must validate the id_token's signature and verify the claims in the token per your app's requirements. The v2.0 endpoint uses JSON Web Tokens (JWTs) and public key cryptography to sign tokens and verify that they are valid.

您可以选择在客户端
代码中验证id_token，但是一种常见的做法是将id_token发送到后端
服务器并执行在那里验证。验证id_token的
签名后，有一些要求您要求
进行验证。

You can choose to validate the id_token in client code, but a common practice is to send the id_token to a backend server and perform the validation there. Once you've validated the signature of the id_token, there are a few claims you will be required to verify.