OAuth 2.0 in Azure AD


Updated: June 22, 2015

Azure Active Directory (Azure AD) uses OAuth 2.0 to enable you to authorize access to web applications and web APIs in your Azure AD tenant. The Azure AD implementation of OAuth 2.0 complies with OAuth 2.0 RFC 6749 and is extended to protect third-party web APIs This design lets you use AAD as a complete security platform for the web apps and web APIs that you develop.

If you're not familiar with OAuth 2.0, start by reading the spec: OAuth 2.0. The topics in this section assume that you know a bit about OAuth 2.0 and its terminology, and they explain how Azure AD implements and extends OAuth 2.0.

The topics in this section show you how to assemble the requests and use the responses. Typically, the APIs you use, such as Azure AD Authentication Library for .NET, handle these details for you, but it's useful to understand what is going on in the background, especially for debugging and on platforms that don't have appropriate library support.

In this section:

  • Authorization Code Grant Flow: Native client applications and websites use a flow in which an authorization code represents the resource owner's consent to allow the application to access a resource. The application gets the authorization code from Azure AD, and then exchanges it for an access token that provides access to the resource. The application never sees the user's credentials and the user's agent or browser environment never sees the access token.

  • Service to Service Calls Using Client Credentials: The OAuth 2.0 Client Credentials Grant flow permits a web service (a confidential client) to use its own credentials to authenticate when calling another web service, instead of impersonating a user. In this scenario, the client is typically a middle-tier web service, a daemon service, or website.

  • Refresh Tokens for Multiple Resources: This feature allows you to use a single refresh token to request access tokens for multiple resources.

  • Error Handling in OAuth 2.0: This section describes the errors that you might receive from authorization endpoints, token issuance endpoints, and secured resources, and explains how to handle them.

  • Best Practices for OAuth 2.0 in Azure AD: This topic explains "best practice" behavior when using OAuth 2.0 in Azure AD. These recommendations help you to get the most out of OAuth 2.0 and to avoid common pitfalls.