{"id":2055,"date":"2018-11-12T11:00:54","date_gmt":"2018-11-12T18:00:54","guid":{"rendered":"https:\/\/developer.microsoft.com\/en-us\/office\/blogs\/?p=2055"},"modified":"2018-11-12T11:00:54","modified_gmt":"2018-11-12T18:00:54","slug":"30daysmsgraph-day-12-authentication-and-authorization-scenarios","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/30daysmsgraph-day-12-authentication-and-authorization-scenarios\/","title":{"rendered":"30DaysMSGraph \u2013 Day 12 \u2013 Authentication and authorization scenarios"},"content":{"rendered":"<p><a href=\"https:\/\/aka.ms\/30DaysMSGraph\">List of all posts in the #30DaysMSGraph Series<\/a><\/p>\n<p>Today\u2019s post written by <a href=\"https:\/\/twitter.com\/JasonJohMSFT\">Jason Johnston<\/a><\/p>\n<p>In <a href=\"https:\/\/developer.microsoft.com\/en-us\/graph\/blogs\/30daysmsgraph-day-11-azure-ad-application-permissions\">Day 11<\/a> we discussed Access Tokens which are crucial to make Microsoft Graph requests.\u00a0 Today we&#8217;ll look at the various authentication scenarios that are possible when querying with Microsoft Graph.<\/p>\n<p><img decoding=\"async\" class=\"wp-image-2095 aligncenter\" src=\"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-content\/uploads\/sites\/73\/2018\/11\/30DaysMSGraph_Day12_Source-1024x576.jpg\" alt=\"\" width=\"800\" height=\"450\" srcset=\"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-content\/uploads\/sites\/73\/2018\/11\/30DaysMSGraph_Day12_Source-1024x576.jpg 1024w, https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-content\/uploads\/sites\/73\/2018\/11\/30DaysMSGraph_Day12_Source-300x169.jpg 300w, https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-content\/uploads\/sites\/73\/2018\/11\/30DaysMSGraph_Day12_Source-768x432.jpg 768w, https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-content\/uploads\/sites\/73\/2018\/11\/30DaysMSGraph_Day12_Source.jpg 1280w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/p>\n<h2>OAuth 2.0 flows<\/h2>\n<p>Azure AD implements several auth scenarios as defined by the <a href=\"https:\/\/tools.ietf.org\/html\/rfc6749\">OAuth 2.0 specification<\/a>. Let\u2019s take a look at each one.<\/p>\n<h2>Authorization code grant<\/h2>\n<p>The <a href=\"https:\/\/docs.microsoft.com\/azure\/active-directory\/develop\/v2-oauth2-auth-code-flow\">authorization code grant flow<\/a> is probably the most commonly-used flow for obtaining access tokens. This flow is separated into two distinct parts: the authentication\/authorization part, and the token request.<\/p>\n<p>First, the user is sent to the Azure Active Directory (Azure AD) login page. In a web app, this is a simple redirect to the site. In a native application, this involves opening up a browser dialog to the Azure AD site. The URL contains parameters that identify the application making the request and the requested permissions scopes. If this is the first time the user has used the application (or if the requested permissions have changed since the last time the user used the application), a list of the requested permissions are presented to the user, giving them a chance to review and approve or deny the permissions.<\/p>\n<p>If the user approves the requested permissions, the browser redirects back to the application with an authorization code. The app can then send a POST request with that authorization code and the application\u2019s secret to the Azure AD token endpoint to get an access token.<\/p>\n<h3>Types of permissions<\/h3>\n<p>Apps that use this flow make use of delegated permissions. The access tokens returned from this flow always have a user context.<\/p>\n<h3>When to use authorization code grant<\/h3>\n<p>This flow is the best choice for your app if your app:<\/p>\n<ul>\n<li>Is a server-side web application or native\/mobile application that allows user interaction<\/li>\n<li>Needs to access the Microsoft Graph as the user<\/li>\n<\/ul>\n<h2>Implicit grant<\/h2>\n<p>The <a href=\"https:\/\/docs.microsoft.com\/azure\/active-directory\/develop\/v2-oauth2-implicit-grant-flow\">implicit grant flow<\/a> starts the same way as the authorization code grant flow, by redirecting the user to the Azure AD login page. However, in this flow, instead of returning an authorization code once the user authenticates and authorizes the app, the access token is returned.<\/p>\n<p>This abbreviated flow exists to support single-page apps (SPA) implemented in JavaScript. Because these applications run entirely within the user\u2019s browser and may not have a backend component, there are a number of challenges in doing an authorization code grant flow:<\/p>\n<ul>\n<li>Storing an application secret so that it is not discoverable is not feasible in client-side JavaScript code<\/li>\n<li>Most auth servers (Azure AD included) do not support CORS requests<\/li>\n<\/ul>\n<p>This flow addresses those issues by eliminating the application secret and not involving a POST request.<\/p>\n<h3>Types of permissions<\/h3>\n<p>Apps that use this flow make use of delegated permissions. The access tokens returned from this flow always have a user context.<\/p>\n<h3>When to use implicit grant<\/h3>\n<p>This flow is the best choice for your app if your app:<\/p>\n<ul>\n<li>Is a client-side JavaScript single-page app with no backend components.<\/li>\n<\/ul>\n<h2>Client credentials grant flow<\/h2>\n<p>The <a href=\"https:\/\/docs.microsoft.com\/azure\/active-directory\/develop\/v2-oauth2-client-creds-grant-flow\">client credentials grant flow<\/a> is different from the previous two flows in two major ways. First, the flow does not require any user interaction, so it\u2019s the best choice for a service or daemon application. Second, this flow makes use of application permissions, rather than delegated permissions.<\/p>\n<p>While the flow itself requires no user interaction, there is a requirement that an organization administrator provides consent to the permissions required by the app. This is a one-time process that can happen either during app registration, or you can build a minimal web app to allow the administrator to authenticate and authorize the application.<\/p>\n<p>Once an administrator has authorized the application, the app can silently request tokens by providing its application ID and secret or by signing the token request with a certificate shared with Azure AD during app registration.<\/p>\n<h3>Types of permissions<\/h3>\n<p>Apps that use this flow make use of application permissions. The access tokens returned from this flow do not have a user context and grant access to all users within the organization.<\/p>\n<h3>When to use client credentials grant<\/h3>\n<p>This flow is the best choice for your app if your app:<\/p>\n<ul>\n<li>Requires access to all users in an organization<\/li>\n<li>Does not implement UI or runs in a way that user interaction is impossible (unattended daemon apps, services, scheduled tasks, etc.)<\/li>\n<\/ul>\n<h2>On-behalf-of flow<\/h2>\n<p>The <a href=\"https:\/\/docs.microsoft.com\/azure\/active-directory\/develop\/v2-oauth2-on-behalf-of-flow\">on-behalf-of flow<\/a> is used in a middle-tier service scenario. It typically involves a user application that uses the authorization code grant \u00a0or implicit flow, and a Web API or service that is <a href=\"https:\/\/docs.microsoft.com\/azure\/api-management\/api-management-howto-protect-backend-with-aad\">protected by Azure AD OAuth<\/a> that accesses the Microsoft Graph.<\/p>\n<p>In this flow, the user logs into the front-end application, which obtains an access token granting access to the middle-tier service. The middle tier service then uses that token to obtain another token on the user\u2019s behalf to access the Microsoft Graph.<\/p>\n<p>This flow differs from a normal authorization code grant flow because the front-end application itself has no access to the Microsoft Graph.<\/p>\n<h3>Types of permissions<\/h3>\n<p>Apps that use this flow make use of delegated permissions. The access tokens returned from this flow always have a user context.<\/p>\n<h3>When to use on-behalf-of<\/h3>\n<p>This flow is the best choice for your app if your app:<\/p>\n<ul>\n<li>Involves multiple components, including a front-end user application and a back-end web API or service protected by Azure AD OAuth<\/li>\n<\/ul>\n<h2>Refresh token flow<\/h2>\n<p>Access tokens issued by Azure AD are short-lived, expiring after an hour. Applications can request new tokens without requiring the user to re-authenticate as long as the user has not revoked the application\u2019s authorization. The method to do this depends on the flow used by the application.<\/p>\n<ul>\n<li>Apps that use the authorization code grant flow or the on-behalf-of flow can request the offline_access scope to receive a refresh token along with the access token. The app <a href=\"https:\/\/docs.microsoft.com\/azure\/active-directory\/develop\/v2-oauth2-auth-code-flow#refresh-the-access-token\">makes a POST request<\/a> to Azure AD\u2019s token endpoint with that refresh token to obtain a new access token.<\/li>\n<li>Apps that use the implicit code grant do not get a refresh token. However, as long as the app is running in the user\u2019s browser and the session is maintained, apps can request a new token silently by <a href=\"https:\/\/docs.microsoft.com\/azure\/active-directory\/develop\/v2-oauth2-implicit-grant-flow#refreshing-tokens\">using a hidden iframe<\/a>.<\/li>\n<li>Apps that use the client credential code grant also do not get a refresh token. Since token requests in this flow do not require user interaction, the app simply requests a new token using the same POST request it used to obtain the initial token.<\/li>\n<\/ul>\n<h2>Try it out<\/h2>\n<p>You can try the authorization code grant flow out using your browser and <a href=\"https:\/\/www.getpostman.com\/apps\">Postman<\/a>.\u00a0 If you are not familiar with Postman or similar REST endpoint development tools feel free to revisit these exercises after you&#8217;ve gone through tomorrow&#8217;s post for Day 13.<\/p>\n<p><a href=\"https:\/\/github.com\/microsoftgraph\/30DaysMSGraph-TryItOut\/blob\/master\/Day12-AuthScenarios.md\">Day 12 repo link<\/a><\/p>\n<ol>\n<li>Register an Azure AD V2 app following the directions from <a href=\"https:\/\/developer.microsoft.com\/en-us\/graph\/blogs\/30daysmsgraph-day-9-azure-ad-applications-on-v2-endpoint\">Day 9<\/a>.\n<ul>\n<li>\n<div>\n<div>Ensure that the redirect URI is &#8216;https:\/\/localhost:8080&#8217; to match the below steps.<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<\/li>\n<li>Open Postman and create a new POST request to <a href=\"https:\/\/login.microsoftonline.com\/YOUR_TENANT_ID\/oauth2\/v2.0\/token\">https:\/\/login.microsoftonline.com\/YOUR_TENANT_ID\/oauth2\/v2.0\/token<\/a>, replacing &#8216;YOUR_TENANT_ID&#8217; with your tenant ID from your app registration.<\/li>\n<li>Configure the Body tab as follows:\n<ul>\n<li>Choose &#8216;x-www-form-urlencoded&#8217;<\/li>\n<li>Add a &#8216;client_id&#8217; key and put your application ID from your app registration in the value<\/li>\n<li>Add a &#8216;client_secret&#8217; key and put your application secret from your app registration in the value<\/li>\n<li>Add a &#8216;redirect_uri&#8217; key and put &#8216;https:\/\/localhost:8080&#8217; in the value<\/li>\n<li>Add a &#8216;grant_type&#8217; key and put &#8216;authorization_code&#8217; in the value.<\/li>\n<li>Add a &#8216;scope&#8217; key and put &#8216;openid profile offline_access User.Read&#8217; in the value.<\/li>\n<li>Add a &#8216;code&#8217; key and leave the value blank.<\/li>\n<li><img decoding=\"async\" class=\"alignnone size-full wp-image-2093\" src=\"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-content\/uploads\/sites\/73\/2018\/11\/Day12-AuthN-and-AuthZ-1.png\" alt=\"\" width=\"588\" height=\"378\" srcset=\"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-content\/uploads\/sites\/73\/2018\/11\/Day12-AuthN-and-AuthZ-1.png 588w, https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-content\/uploads\/sites\/73\/2018\/11\/Day12-AuthN-and-AuthZ-1-300x193.png 300w\" sizes=\"(max-width: 588px) 100vw, 588px\" \/><\/li>\n<\/ul>\n<\/li>\n<li>Open your browser and go to <a href=\"https:\/\/login.microsoftonline.com\/YOUR_TENANT_ID\/oauth2\/v2.0\/authorize?client_id=YOUR_APP_ID&amp;response_type=code&amp;redirect_uri=https%3A%2F%2Flocalhost%3A8080&amp;response_mode=query&amp;scope=openid%20profile%20offline_access%20User.Read\">https:\/\/login.microsoftonline.com\/YOUR_TENANT_ID\/oauth2\/v2.0\/authorize?client_id=YOUR_APP_ID&amp;response_type=code&amp;redirect_uri=https%3A%2F%2Flocalhost%3A8080&amp;response_mode=query&amp;scope=openid%20profile%20offline_access%20User.Read<\/a>, replacing &#8216;YOUR_TENANT_ID&#8217; with your tenant ID and &#8216;YOUR_APP_ID&#8217; with your application ID from your app registration.<\/li>\n<li>Login and authorize the app. Your browser redirects back to <a href=\"https:\/\/localhost:8080\">https:\/\/localhost:8080<\/a> and should show an error that the site cannot be reached.<\/li>\n<li>Copy the URL in the address bar of your browser and paste it into Notepad. It should look like <a href=\"https:\/\/localhost:8080\/?code=IAQABAAIAAAC...&amp;session_state=\">https:\/\/localhost:8080\/?code=IAQABAAIAAAC&#8230;&amp;session_state=<\/a>&#8230;. Copy all of the characters after code= and before &amp;session_state. This is the authorization code returned by Azure AD.<\/li>\n<li>Paste the authorization code into the &#8216;code&#8217; key in Postman, then send the request.<\/li>\n<li>The response contains a JSON payload with the access token, refresh token, and ID token.\n<ul>\n<li><img decoding=\"async\" class=\"alignnone size-full wp-image-2094\" src=\"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-content\/uploads\/sites\/73\/2018\/11\/Day12-AuthN-and-AuthZ-2.png\" alt=\"\" width=\"552\" height=\"701\" srcset=\"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-content\/uploads\/sites\/73\/2018\/11\/Day12-AuthN-and-AuthZ-2.png 552w, https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-content\/uploads\/sites\/73\/2018\/11\/Day12-AuthN-and-AuthZ-2-236x300.png 236w\" sizes=\"(max-width: 552px) 100vw, 552px\" \/><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h3><\/h3>\n<p>Join us tomorrow as we make calls to Microsoft Graph from a REST endpoint development tool such as Postman in <a href=\"https:\/\/developer.microsoft.com\/en-us\/graph\/blogs\/30daysmsgraph-day-13-postman-to-make-microsoft-graph-calls\">Day 13<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In Day 11 we discussed Access Tokens which are crucial to make Microsoft Graph requests.\u00a0 Today we&#8217;ll look at the various authentication scenarios that are possible when querying with Microsoft Graph.<\/p>\n","protected":false},"author":73055,"featured_media":25159,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[3,5],"tags":[84],"class_list":["post-2055","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-graph","category-microsoft-identity-platform","tag-30daysmsgraph"],"acf":[],"blog_post_summary":"<p>In Day 11 we discussed Access Tokens which are crucial to make Microsoft Graph requests.\u00a0 Today we&#8217;ll look at the various authentication scenarios that are possible when querying with Microsoft Graph.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/2055","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/users\/73055"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/comments?post=2055"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/2055\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media\/25159"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media?parent=2055"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/categories?post=2055"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/tags?post=2055"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}