You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
|[Authorization code](#authorization-code)| User sign-in and access to web APIs on behalf of the user. |* [Desktop](scenario-desktop-overview.md) <br /> * [Mobile](scenario-mobile-overview.md) <br /> * [Single-page app (SPA)](scenario-spa-overview.md) (requires PKCE) <br /> *[Web](scenario-web-app-call-api-overview.md)|
25
+
|[Authorization code](#authorization-code)| User sign-in and access to web APIs on behalf of the user. |[Desktop](scenario-desktop-overview.md) <br /> [Mobile](scenario-mobile-overview.md) <br /> [Single-page app (SPA)](scenario-spa-overview.md) (requires PKCE) <br /> [Web](scenario-web-app-call-api-overview.md)|
25
26
|[Client credentials](#client-credentials)| Access to web APIs by using the identity of the application itself. Typically used for server-to-server communication and automated scripts requiring no user interaction. |[Daemon](scenario-daemon-overview.md)|
26
27
|[Device code](#device-code)| User sign-in and access to web APIs on behalf of the user on input-constrained devices like smart TVs and IoT devices. Also used by command line interface (CLI) applications. |[Desktop, Mobile](scenario-desktop-acquire-token-device-code-flow.md)|
27
28
|[Implicit grant](#implicit-grant)| User sign-in and access to web APIs on behalf of the user. _The implicit grant flow is no longer recommended - use authorization code with PKCE instead._| * [Single-page app (SPA)](scenario-spa-overview.md) <br /> * [Web](scenario-web-app-call-api-overview.md)|
@@ -57,22 +58,22 @@ Your MSAL-based application should first try to acquire a token silently and fal
57
58
58
59
The [OAuth 2.0 authorization code grant](v2-oauth2-auth-code-flow.md) can be used by web apps, single-page apps (SPA), and native (mobile and desktop) apps to gain access to protected resources like web APIs.
59
60
60
-
When users sign in to web applications, the application receives an authorization code that it can redeem for an access token to call web APIs.
61
+
When users sign in to web applications, the application receives an authorization code that it can redeem for an access token to call web APIs.
61
62
62
-
63
+
In the following diagram, the application:
63
64
64
-
In the preceding diagram, the application:
65
-
66
-
1. Requests an authorization code which redeemed for an access token.
65
+
1. Requests an authorization code which was redeemed for an access token.
67
66
2. Uses the access token to call a web API, Microsoft Graph.
68
67
68
+
69
+
69
70
### Constraints for authorization code
70
71
71
-
- Single-page applications require Proof Key for Code Exchange (PKCE) when using the authorization code grant flow. PKCE is supported by MSAL.
72
+
- Single-page applications require *Proof Key for Code Exchange* (PKCE) when using the authorization code grant flow. PKCE is supported by MSAL.
72
73
73
-
- The OAuth 2.0 specification requires you use an authorization code to redeem an access token only _once_.
74
+
- The OAuth 2.0 specification requires you to use an authorization code to redeem an access token only _once_.
74
75
75
-
If you attempt to acquire access token multiple times with the same authorization code, an error similar to the following is returned by the Microsoft identity platform. Keep in mind that some libraries and frameworks request the authorization code for you automatically, and requesting a code manually in such cases will also result in this error.
76
+
If you attempt to acquire access token multiple times with the same authorization code, an error similar to the following is returned by the Microsoft identity platform. Some libraries and frameworks request the authorization code for you automatically, and requesting a code manually in such cases will also result in this error.
76
77
77
78
`AADSTS70002: Error validating credentials. AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token.`
78
79
@@ -84,22 +85,22 @@ The client credentials grant flow permits a web service (a confidential client)
84
85
85
86
### Application secrets
86
87
87
-
88
-
89
-
In the preceding diagram, the application:
88
+
In the following diagram, the application:
90
89
91
90
1. Acquires a token by using application secret or password credentials.
92
91
2. Uses the token to make requests of the resource.
93
92
94
-
### Certificates
93
+
95
94
96
-
95
+
### Certificates
97
96
98
-
In the preceding diagram, the application:
97
+
In the following diagram, the application:
99
98
100
99
1. Acquires a token by using certificate credentials.
101
100
2. Uses the token to make requests of the resource.
102
101
102
+
103
+
103
104
These client credentials need to be:
104
105
105
106
- Registered with Azure AD.
@@ -115,18 +116,18 @@ The [OAuth 2 device code flow](v2-oauth2-device-code.md) allows users to sign in
115
116
116
117
By using the device code flow, the application obtains tokens through a two-step process designed for these devices and operating systems. Examples of such applications include those running on IoT devices and command-line interface (CLI) tools.
117
118
118
-
119
-
120
-
In the preceding diagram:
119
+
In the following diagram:
121
120
122
121
1. Whenever user authentication is required, the app provides a code and asks the user to use another device like an internet-connected smartphone to visit a URL (for example, `https://microsoft.com/devicelogin`). The user is then prompted to enter the code, and proceeding through a normal authentication experience including consent prompts and [multi-factor authentication](../authentication/concept-mfa-howitworks.md), if necessary.
123
122
1. Upon successful authentication, the command-line app receives the required tokens through a back channel, and uses them to perform the web API calls it needs.
124
123
124
+
125
+
125
126
### Constraints for device code
126
127
127
128
- The device code flow is available only for public client applications.
128
129
- When you initialize a public client application in MSAL, use one of these authority formats:
129
-
-Tenanted: `https://login.microsoftonline.com/{tenant}/,` where `{tenant}` is either the GUID representing the tenant ID or a domain name associated with the tenant.
130
+
-Tenant: `https://login.microsoftonline.com/{tenant}/,` where `{tenant}` is either the GUID representing the tenant ID or a domain name associated with the tenant.
130
131
- Work and school accounts: `https://login.microsoftonline.com/organizations/`.
131
132
132
133
## Implicit grant
@@ -149,15 +150,15 @@ Tokens issued via the implicit flow mode have a **length limitation** because th
149
150
150
151
The [OAuth 2 on-behalf-of authentication flow](v2-oauth2-on-behalf-of-flow.md) flow is used when an application invokes a service or web API that in turn needs to call another service or web API. The idea is to propagate the delegated user identity and permissions through the request chain. For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from the Microsoft identity platform *on behalf of* the user.
151
152
152
-
153
-
154
-
In the preceding diagram:
153
+
In the following diagram:
155
154
156
155
1. The application acquires an access token for the web API.
157
156
2. A client (web, desktop, mobile, or single-page application) calls a protected web API, adding the access token as a bearer token in the authentication header of the HTTP request. The web API authenticates the user.
158
157
3. When the client calls the web API, the web API requests another token on-behalf-of the user.
159
158
4. The protected web API uses this token to call a downstream web API on-behalf-of the user. The web API can also later request tokens for other downstream APIs (but still on behalf of the same user).
160
159
160
+
161
+
161
162
## Username/password (ROPC)
162
163
163
164
> [!WARNING]
@@ -167,13 +168,13 @@ The [OAuth 2 resource owner password credentials](v2-oauth-ropc.md) (ROPC) grant
167
168
168
169
Some application scenarios like DevOps might find ROPC useful, but you should avoid it in any application in which you provide an interactive UI for user sign-in.
169
170
170
-
171
-
172
-
In the preceding diagram, the application:
171
+
In the following diagram, the application:
173
172
174
173
1. Acquires a token by sending the username and password to the identity provider.
175
174
2. Calls a web API by using the token.
176
175
176
+
177
+
177
178
To acquire a token silently on Windows domain-joined machines, we recommend [integrated Windows authentication (IWA)](#integrated-windows-authentication-iwa) instead of ROPC. For other scenarios, use the [device code flow](#device-code).
178
179
179
180
### Constraints for ROPC
@@ -195,13 +196,13 @@ The following constraints apply to the applications using the ROPC flow:
195
196
196
197
MSAL supports integrated Windows authentication (IWA) for desktop and mobile applications that run on domain-joined or Azure AD-joined Windows computers. By using IWA, these applications acquire a token silently without requiring UI interaction by user.
197
198
198
-
199
-
200
-
In the preceding diagram, the application:
199
+
In the following diagram, the application:
201
200
202
201
1. Acquires a token by using integrated Windows authentication.
203
202
2. Uses the token to make requests of the resource.
204
203
204
+
205
+
205
206
### Constraints for IWA
206
207
207
208
**Compatibility**
@@ -239,10 +240,10 @@ To satisfy either requirement, one of these operations must have been completed:
239
240
240
241
- You as the application developer have selected **Grant** in the Azure portal for yourself.
241
242
- A tenant admin has selected **Grant/revoke admin consent for {tenant domain}** in the **API permissions** tab of the app registration in the Azure portal; see [Add permissions to access your web API](quickstart-configure-app-access-web-apis.md#add-permissions-to-access-your-web-api).
242
-
- You've provided a way for users to consent to the application; see [Requesting individual user consent](v2-permissions-and-consent.md#requesting-individual-user-consent).
243
-
- You've provided a way for the tenant admin to consent for the application; see [admin consent](v2-permissions-and-consent.md#requesting-consent-for-an-entire-tenant).
243
+
- You've provided a way for users to consent to the application; see [User consent](../manage-apps/user-admin-consent-overview.md#user-consent).
244
+
- You've provided a way for the tenant admin to consent for the application; see [Administrator consent]../manage-apps/user-admin-consent-overview.md#administrator-consent).
244
245
245
-
For more information on consent, see [Permissions and consent](v2-permissions-and-consent.md).
246
+
For more information on consent, see [Permissions and consent](v2-permissions-and-consent.md#consent).
0 commit comments