I have a Web APP(A) which calls BFF API(B) which in-turn calls an adapter API(C) which in turn calls the final API(D).

Users login to WebApp A with RBAC based Microsoft EntraID with app roles. The token is received in B where the user is Authorized with scopes and request is sent to C with client credentials flow. C calls D with another client credentials flow.

Thus, the user context is lost between B and D. The API D also needs authorization scopes so that it can authorize the request. What are my options to retain the user context from A through to D.

I have so far looked into Microsoft OBO flow. However, it looks like we won't be able to implement token caching between in B and C? Are there any other drawbacks with this approach?

I have also considered Token Forwarding as mentioned in this answer. However, with this, I believe, APIs B, and C would need to authorize the request even when they won't part of the aud in the original token?

Are there any other options to consider? What are the tradeoffs?