Using on-behalf-of to exchange an id_token for an access_token for MS Graph

FetchAccessToken.cs

  public string FetchAccessToken()
  {
    string idToken = this.Request.Headers["X-MS-TOKEN-AAD-ACCESS-TOKEN"];
    string tokenUrl = Environment.GetEnvironmentVariable("WEBSITE_AUTH_OPENID_ISSUER").TrimEnd('/') + "/oauth2/token";
    
    var paramBuilder = new StringBuilder();
    paramBuilder.Append("grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer");
    paramBuilder.Append("&client_id=").Append(Environment.GetEnvironmentVariable("WEBSITE_AUTH_CLIENT_ID"));
    paramBuilder.Append("&client_secret=").Append(Environment.GetEnvironmentVariable("WEBSITE_AUTH_CLIENT_SECRET"));
    paramBuilder.Append("&scope=").Append(WebUtility.UrlEncode("https://graph.microsoft.com/user.read"));
    paramBuilder.Append("&assertion=").Append(WebUtility.UrlEncode(idToken));
    paramBuilder.Append("&requested_token_use=on_behalf_of");

    string parameters = paramBuilder.ToString();

    var tokenRequest = WebRequest.CreateHttp(tokenUrl);
    tokenRequest.Method = "POST";

    using (var stream = new StreamWriter(tokenRequest.GetRequestStream()))
    {
      stream.Write(parameters);
    }

    string rawResponse;
    try
    {
      using (var tokenResponse = new StreamReader(tokenRequest.GetResponse().GetResponseStream()))
      {
        rawResponse = tokenResponse.ReadToEnd();
      }
    }
    catch (WebException e)
    {
      using (var tokenResponse = new StreamReader(e.Response.GetResponseStream()))
      {
        rawResponse = tokenResponse.ReadToEnd();
        Response.Write(rawResponse);
        return null;
      }
    }

    var serializer = new JavaScriptSerializer();
    var tokenResponseData = (IDictionary<string, object>)serializer.DeserializeObject(rawResponse);
    var accessToken = (string)tokenResponseData["access_token"];
    return accessToken;
  }