I have two web application hosted on Azure. A front-end and a back-end. For both I configured to use EasyAuth (added a 3rd party OpenID Connect Identity Provider on the Azure Portal). When the user opens a browser, s/he navigates to the Front-end web app, which redirects the user to sign in on the identity provider login page. When the login is successful it receives an id_token (JWT format) and an access_token (which is not in JWT format, it is just a string but according to the Oauth 2.0 specification it does not have to be in JWT).
The user can login and access to front end app without any problem and it works as expected. Even the /.auth/me endpoint gives back the tokens and claims.
The issue: When the front end calls a WebAPI endpoint in the backend using the access token (request header Bearer ...) then the application receives the follwing error message:
JWT: '[PII is hidden]' must have three segments (JWS) or five segments (JWE).
Azure seems to expect the access token in a JWT format (Azure Active Directory generates access tokens in JWT format), but as I mentioned before it is not a must. If the front end sends the id_token to the backend as the Bearer in the request header then it works, but that is strictly against the specification as ID tokens should not be used for authorization.
A workaround if I turn off the authentication for the back-end on Azure and I validate the access token on code level (using token introspection). However than what is the point of the EasyAuth?
The question: Is this the default behavior for Azure EasyAuth and it does not support the described scenario or am I missing something?