Authorizing users on an on-premise service from SharePoint Online intranet

Question

I'm reading up on SharePoint Online as a candidate for our upcoming intranet, and have a couple of questions.

Let's say I need our users to access some on-premise data, and I write a provider based SharePoint add-in (which run on an on-premise server). The add-in require users to be authorized before serving them the data. What's best practice when it comes to authenticating and authorizing the users - could the client side of my add-in reuse some SSO/OAuth token or something from the SharePoint Online session, and pass this token on to the server-side my add-inn, and my server-side add-in (or preferably some firewall type of software in front of my sevice) could then authorize users based on this token?

Answer 1

This should work if you use AzureAD as your SSO provider for the on-prem app.