When we design an app, we start to decide that the app needs authentication or not. For example, the app shows user information, needs access to some resources or executes some functions of a specific user.
If the app is for consumers, the app has to ready to authentication with Facebook, Twitter, Line, Google or Microsoft account, etc.
For enterprise uses, it has to be that the app is able to authentication with an account of Azure Active Directory, Auth0, Google, AWS, VMware or Oracle and so on.
In case the app uses resources that are managed by Azure Active Directory, using the Azure Active Directory application is an easy way to create an authentication feature for the app, as it provides an endpoint connected to the authorization server of an account registered on the Azure Active Directory.
When creating the Azure Active Directory application, several parameters of its are for a specific type of authentication, so understanding of types of authentication is important at first.
Azure Active Directory application is used by the Microsoft Graph API.
The Microsoft Graph API provides several authentication features for apps, there are WS-Fed, SAML, OAuth 2.0, and OpenID Connect.
Particularly the OAuth 2.0 is supported by many identity providers such as Facebook, Twitter, LinkedIn, Google, Yahoo!, Salesforce.com, Github and so on, so this article describes how to set parameters of Azure Active Directory application for OAuth 2.0.
There are four types of authentication of The OAuth 2.0 Authorization Framework.
The OAuth 2.0 Authorization Framework defines identity authentication steps and how to access resources use authorized identity. Accessing resources are the same in four types. Using the scope parameter for representing what resources the app use.
The app has to request with access token when accessing resources, an access token is provided in a different way in four types.
The types of authentication are defined by the grant type parameter, there are authorization code authentication type, implicit authentication type, password authentication type, and client credential authentication type. An authorization code authentication type is basic, so this article describes this type.
A password authentication type and a client credential authentication type are described in the article ‘How to set attributes of Azure Active Directory application for impersonated users‘.
・Create Azure Active Directory application
In the authorization code authentication type, it is the first step that a user request authentication to an authorization server using a browser.
Then the server requests identity and password to a user for authorizing identity, and if correct identity and password pair, responses authorization code.
A user request login to resource server using acquired code. A resource server returns access token if the code represent authorized user identity that has authority to a scope that the user requested.
These roles of the OAuth 2.0 Authorization Framework in Microsoft Graph API are below.
A resource owner is the Azure Active Directory account.
=>Login Azure portal and select Azure Active Directory, select Users and press New user.
A resource server is the Microsoft Graph API which has Azure Active Directory resources and also Office 365 resources.
=>This article uses user information of Azure Active Directory resources.
A client is an app.
=>Use [OAuth 2.0 <debugger/>] web site.
An authorization server is Azure Active Directory application endpoint.
=>Login Azure portal and select Azure Active Directory, select Application registrations and press [New registration] tab.
Go to [OAuth 2.0 <debugger/>] web site, then copy [Redirect URI (required)] section URL and back to Azure portal, then paste URL to [Redirect URI (optional)] and put the name into [Name] text box, press [Register] button.
When application created then an auto transition to [Overview] section, so press [Endpoints] tab.
Copy code of section [OAuth 2.0 authorization endpoint (v2)] and go to [OAuth 2.0 <debugger/>] web site, then paste to [Authorize URI (required)] section.
Back to Azure portal and copy code of section [Application (client) ID], then go to [OAuth 2.0 <debugger/>] web site and paste to [Client ID (required)] section. Next, put ‘1234’ to section [State] and nothing does at [Nonce] section. Continue, put ‘openid’ to [Scope (required)] section and [Response type (required)] keeps stay [code] checked.
From scroll to the end of [OAuth 2.0 <debugger/>] page and press [SEND REQUEST] button, the page auto transitions to an explanation of the request that application name [Userinformation] argues to use user resources.
This confirmation page says a user allows access permission for user resources to the app. If the user press [Accept] button, the page redirects to defined redirect URL and is sent authorization code which has the access permission for user resources as query string of URL.
At the last, confirm the authorization code at [OAuth 2.0 <debugger/>] website defined as redirect URL at Azure Active Directory application.