0

I am trying to implement Oauth Code Grant flow using Azure AD as the authorization server. Followed these steps to implement the Code grant flow.

  1. Created Azure AD app with the redirect_uri where I like to get the auth token. 2.App permissions as below enter image description here
  2. Configured the client id and secret at the client application side and the complete flow is working. I am able to receive the auth token and access token.

There are few things I would like to get clarified with Azure AD authentication.

  1. In some materials and blogs, I am seeing 2 Azure apps are registered in the Azure AD. One for Resource API(i.e, backend API) and the other Azure app for the Consumer application which requests access to this API. When should we go for registering 2 apps in Azure ad.

  2. Is it when Scope are defined for the backend api, we need to register an Azure AD app for backend resource with the scopes listed?

  3. Or registering Azure app is tied to OAuth Grant types? i.e, Client credentials - 2 apps and for OAuth Code Grant - 1 app will do.

These may be basic questions, but am not finding these questions clarified if any documents.

Any help on this is much appreciated.

jack
  • 803
  • 3
  • 15
  • 26

1 Answers1

1

In some materials and blogs, I am seeing 2 Azure apps are registered in the Azure AD. One for Resource API(i.e, backend API) and the other Azure app for the Consumer application which requests access to this API. When should we go for registering 2 apps in Azure ad.

It used to be necessary to make two app registrations. It is no longer the case with the new model. You can use one app registration for the API and client(s). I'll mention at least one case where you might consider two in the next part.

Is it when Scope are defined for the backend api, we need to register an Azure AD app for backend resource with the scopes listed?

You can use one app registration. Just note that if you use one registration, the client can request any scope to itself. It does not require permission assignments for its own scopes. If you use two separate registrations, you can decide which permissions are allowed for the client.

Or registering Azure app is tied to OAuth Grant types? i.e, Client credentials - 2 apps and for OAuth Code Grant - 1 app will do.

No.

juunas
  • 54,244
  • 13
  • 113
  • 149
  • so, if I go with one app registration, it means multiple application will be using same client id and secret of the same app correct? So If I have to allow Consumer to request access to my API, and I need to approve the request as an API Owner (approval workflow to allow access to my api) - the way forward is to go for multiple app registrations - i.e, 1 for Resource API and 1 app for each Consumer who wants to use the API. is it correct understanding? – jack Apr 26 '23 at 12:24
  • And for TokenValidation, if only one app is registered - anyone who has the clientid & secret can validate the token. Shouldn't it be restricted only to the Resource/backend App to validate the token? – jack Apr 26 '23 at 12:28
  • 1
    Absolutely anyone can validate the token. The public parts of the signing keys are available publically at e.g. https://login.microsoftonline.com/common/discovery/v2.0/keys. Being able to validate the token doesn't get you access to anything though, since you can't modify the token. If you have a case where separate people are developing client applications, using separate app registrations sounds like a better idea. – juunas Apr 26 '23 at 12:31
  • For example, if I sign in to an application and get my hands on the token, I can inspect it and validate it. But if I make any changes to it, it won't work since the signature won't match. – juunas Apr 26 '23 at 12:32