OAuth
Authentication vs Authorization
Authentication and Authorization are the two terms used in the context of OAuth and API Security. They are used in conjunction with each other and both sound similar, but they refer to entirely different security processes.
- Authentication answers the question: Who are you?
- Authorization answers the question: What are you allowed to do?
Getting Started
1) Create Service Principle
- Go to App Registration Click New registration
- On Authentication Click Add a platform
Pass
http://localhostto this field - On Certificates & secrets Click Client secrets Copy Client ID and Client Secret ID from this creation process
2) Get Authorization Code
GET {tenant-id}/oauth2/v2.0/authorize HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id={client-id}&
redirect_uri={redirect-uri}&
response_type=code&
response_mode=query&
scope=offline_access {scopes}&
access_type=offline
3) Request Access and Refresh tokens
POST {tenant-id}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
code={authorization-code}&
client_id={client-id}&
client_secret={client-secret}&
redirect_uri={redirect-uri}&
scope=offline_access {scopes}&
grant_type=authorization_code
3.1) Re-generate Access Token
POST {tenant-id}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
refresh_token={refresh-token}&
client_id={client-id}&
client_secret={client-secret}&
scope=offline_access {scopes}&
grant_type=refresh_token