Part of this is the issue around caching the tokens.
The article has this to say:
"It's relatively expensive to get an OAuth access token, because it requires an HTTP request to the token endpoint. Therefore, it's good to cache tokens whenever possible. The Azure AD Authentication Library (ADAL) automatically caches tokens obtained from Azure AD, including refresh tokens.
ADAL provides a default token cache implementation. However, this token cache is intended for native client apps, and is not suitable for web apps:
- It is a static instance, and not thread safe.
- It doesn't scale to large numbers of users, because tokens from all users go into the same dictionary.
- It can't be shared across web servers in a farm.
TokenCacheclass but is suitable for a server environment and provides the desirable level of isolation between tokens for different users."
Just something to keep in mind!