OAuth 2 Authorization Code grant in AzureAD - nordvall/TokenClient GitHub Wiki

The Authorization Code grant is supported by AzureAD, but in a somewhat special way. For more information, see OAuth 2 in AzureAD.

1. Client visits the authorization endpoint

Request

GET instanceid/oauth2/authorize?api-version=1.0&response_type=code&client_id=16caf492-f9b9-4feb-bce1-3a4d8bcf04eb&resource=https%3A%2F%2Fgraph.windows.net HTTP/1.1
Host: login.windows.net

Response:

HTTP 302 Found
Location: https://login.microsoftonline.com/login.srf?wa=wsignin1.0&wtrealm=https%3a%2f%2flogin.windows.net%2f&wreply=https%3a%2f%2flogin.windows.net%2finstanceid%2fwsfederation&wctx=value&wp=MBI_FED_SSL

The client browser is redirected to the Microsoft Online login page.

2. User logs in

User logs in, but does not need to give any approval. After the user is authenticated, the Client browser is tricked to make a POST request back to Azure AD.

Request

POST instanceid/wsfederation HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: login.windows.net

wctx=value&wresult=*saml 1.1 assertion*&wa=wsignin1.0

Response:

HTTP 302 Found
Location: https://redirecturi/?code=abc123&session_state=ed693add-1a5f-490b-a44b-a9df1a44bf5c

Here the Client browser get the Authorization code delivered to its redirect url.

3. Client request access token

Request:

POST instanceid/oauth2/token
Content-Type: application/x-www-form-urlencoded
Host: login.windows.net
Content-Length: 624

grant_type=authorization_code&client_id=246e3879-8495-49fc-ad95-d79521b6ed94&client_secret=password1&code=abc123&session_state=7d85d7b7-b157-46c3-ae7e-9f4f2a443aa3

Parameters:

parameter value example
grant_type the OAuth 2 grant type always authorization_code in this case
client_id the Client id guid of the requesting client a guid found in the management portal
client_secret one of the secret keys of the client application, as created in the management portal abc123
code the OAuth authorization code abc123
session_state the state guid from the session_state parameter delivered to the redirect url in the previous step

Note that the following parameters are not necessary in this step:

  • resource
  • redirect_uri

Also note that the ?api-version=1.0 url parameter must be omitted, because the authorization code grant was not supported in the 1.0 version.

Response:

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8

{
    "access_token":"*token*",
    "token_type":"Bearer",
    "expires_in":"3599",
    "expires_on":"1391176643",
    "resource":"https://graph.windows.net",
    "refresh_token":"*token*",
    "scope":"62e90394-69f5-4237-9190-012177145e10",
    "id_token":"*token*"
}

Now you can grab the access_token and use it for 3599 seconds.

4. Client uses the refresh token to renew the access token

Request:

POST /instanceid/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: login.windows.net
Content-Length: 565

grant_type=refresh_token&client_id=246e3879-8495-49fc-ad95-d79521b6ed94&client_secret=abc123&refresh_token=xyz

Parameters:

parameter value example
grant_type the OAuth 2 grant type always refresh_token in this case
client_id same client id that was used to get the first access token a guid
client_secret one of the valid secret keys of the client abc123
refresh_token the refresh token you received along with the first access token zzz

Response:

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8

{
    "access_token":"*token*",
    "token_type":"Bearer",
    "expires_in":"3600",
    "expires_on":"1391178126",
    "resource":"https://graph.windows.net",
    "scope":"62e90394-69f5-4237-9190-012177145e10"
}

Note that there is no refresh token in this response. However, the old refresh token is valid for subsequent requests.

External references