Reputation: 6770
Microsoft Azure OAuth ID Token In Client Credentials Grant
I ideally want to be able to have an admin grant application permissions for my app and login to said app in the same flow. Is this possible?
I currently use the code grant flow for authentication.
I then use the client credentials flow for authorisation.
Is it possible to combine the two into a single flow?
I have the first redirected immediately to the second if the client token has not be granted before, but it isn't the most appealing flow from a UX perspective.
If I could add an ID token to the the client grant response that'd be perfect (I just need the UPN of the admin that is consenting), but this doesn't seem to be possible.
A key requirement is the application permissions as my app makes changes to the entire org - obtaining the grantee's ID in the same flow is just a UX optimisation.
Perhaps this is possible with the OpenID Connect flow?
Upvotes: 0
Views: 552
Answers (1)
Reputation: 9511
Is it possible to combine the two into a single flow?
No, these are two different authentication flow.
For the authorization code flow, It's used to perform authentication and authorization in the majority of app types, including single page apps, web apps, and natively installed apps. The flow enables apps to securely acquire access_tokens that can be used to access resources secured by the Microsoft identity platform endpoint, as well as refresh tokens to get additional access_tokens, and ID tokens for the signed in user. This flow is usually used in scenarios with user interaction.
For client credential flow, it is that the administrator directly grants permissions to the application itself. When an application provides a token to a resource, the resource will force the application itself to have the permission to perform operations. This type of grant is usually used for server-to-server interactions that must run in the background and do not require immediate interaction with the user. This is generally used in daemons, which can only obtain access_token for accessing resources.
Perhaps this is possible with the OpenID Connect flow?
This is where a user is logged in. Generally, delegated permissions are used, so it is impossible.
So, in summary, you cannot obtain ID tokens when using the client credential flow because there is no user interaction in the flow.
Upvotes: 1
Related Questions
- AAD microsoft graph, client credentials
- When calling microsoft graph api, I get exception AADB2C90086: The supplied grant_type [client_credentials] is not supported
- How do I get an access token on behalf of user in Azure OIDC
- Obtaining a valid access token for Microsoft Graph API
- Not able to get access_token for Microsoft Graph API OAuth 2.0 using username & password
- Microsoft Graph API - Client Credentials Grant Flow
- Client Credentials access token not working office 365
- Using tokens from microsoft graph with sharepoint rest api
- Call Microsoft Graph API Using Azure AD 1.0 Endpoint Client Credentials Flow
- Trouble with authorization using client_credentials Azure AD Graph API