search

Azure-Samples / ms-identity-aspnet-webapp-openidconnect

A sample showcasing how to develop a web application that handles sign on via the unified Azure AD and MSA endpoint, so that users can sign in using both their work/school account or Microsoft account. The sample also shows how to use MSAL to obtain a token for invoking the Microsoft Graph, as well as incrementental consent.
MIT License
171 stars 72 forks source link

Implicit Grant Flow #1

Closed titobf closed 6 years ago

titobf commented 8 years ago

I have a question. I have noted that to make the sample work I have to leave the checkbox "Allow Implicit Flow" checked when registering the app.

In this page Is the implicit grant suitable for my app? I read that is not recommended for web apps with a backend:

If you are developing a Web application which includes a backend, and that is meant to consume API from its backend code, the implicit flow is also not a good fit. Other grants give you far more power: for example, the OAuth2 client credentials grant provides the ability to obtain tokens that reflect the permissions assigned to the app itself as opposed to user delegations, the ability to maintain programmatic access to resources even when a user is not actively engaged in a session, and so on. Not only that, but such grants give higher security guarantees: access tokens never transit through the user browser, they don’t risk being saved in the browser history, and so on; the client application can perform strong authentication when requesting a token; and so on.

Is there a way to setup the sample to use the "authorization code flow" only? Thanks in advance.

jmprieur commented 6 years ago

The following sample does that: active-directory-dotnet-webapp-webapi-openidconnect

See in particular how the code is redeemed and an access token is acquired to populate the cache in Startup.Auth.cs#L94-L104