Table of Contents

Introduction

In the realm of cloud computing and modern applications, secure and efficient user authentication and authorization are paramount. Azure Active Directory (Azure AD), now Microsoft Entra ID, provides a robust platform for managing identities and access. Understanding the various identity flows it supports is crucial for developers and architects alike. This post will dive deep into the fundamental identity flows within Azure AD, explaining their purpose, mechanics, and use cases.

These flows are built upon industry standards like OAuth 2.0 and OpenID Connect (OIDC), ensuring interoperability and robust security.

Core Concepts

Before exploring the flows, let's define some key terms:

  • Identity Provider (IdP): In this context, Azure AD is the identity provider. It authenticates users and issues security tokens.
  • Client Application: This is the application (web, mobile, desktop) that needs to access protected resources on behalf of a user or itself.
  • Resource Server: This is the server hosting the protected resources (e.g., an API).
  • Authorization Server: This is typically Azure AD, which issues access tokens after the client application is authorized.
  • Access Token: A credential used by a client to access a protected resource. It contains information about the client, user, and permissions granted.
  • ID Token: A security token issued by the authorization server that contains claims about the authenticated user. Primarily used by the client application for authentication.
  • Scope: Defines the level of access the client application is requesting (e.g., user.read).
  • Grant Type: Specifies the method by which the client obtains an authorization grant. This is the core differentiator between identity flows.

Common Identity Flows

Azure AD supports several OAuth 2.0 grant types, each suited for different application scenarios.

Authorization Code Flow

This is the most common and secure flow for server-side web applications. It involves user interaction and redirects to securely exchange an authorization code for tokens.

  1. The user attempts to access a protected resource in the client application.
  2. The client application redirects the user's browser to Azure AD's authorization endpoint, requesting an authorization code.
  3. Azure AD authenticates the user (if not already logged in) and asks for consent to grant the requested permissions to the client application.
  4. Upon user consent, Azure AD redirects the user back to the client application's pre-registered redirect URI with an authorization code in the query string.
  5. The client application's backend server receives this code and makes a direct, server-to-server request to Azure AD's token endpoint, exchanging the authorization code for an Access Token and an ID Token.
  6. The client application uses the Access Token to make requests to the resource server.
Authorization Code Flow Diagram

Conceptual flow of Authorization Code Grant.

Use Case: Traditional web applications where the client secret can be kept confidential on the server.

Implicit Flow

This flow is designed for single-page applications (SPAs) and is simpler but less secure than the Authorization Code Flow as it returns tokens directly to the browser. Microsoft generally recommends using the Authorization Code Flow with PKCE for SPAs.

  1. The user initiates an action in the SPA that requires authentication.
  2. The SPA redirects the user's browser to Azure AD's authorization endpoint.
  3. Azure AD authenticates the user and returns tokens (ID Token and Access Token) directly in the URL fragment of the redirect URI.
  4. The SPA's JavaScript code parses these tokens from the URL fragment.

Deprecated for SPAs

While historically used for SPAs, the Implicit Flow is not recommended for new development due to security concerns. Consider Authorization Code Flow with PKCE.

Use Case: Older SPAs or scenarios where backend interaction is not feasible (use with caution).

Client Credentials Flow

This flow is used for machine-to-machine (M2M) communication. The client application authenticates itself directly with Azure AD without user involvement.

  1. The client application presents its credentials (client ID and client secret or certificate) directly to Azure AD's token endpoint.
  2. Azure AD validates the client's credentials.
  3. If valid, Azure AD issues an Access Token to the client application, which can then be used to access protected resources on behalf of the application itself.
Client Credentials Flow Diagram

Client Credentials Grant for M2M communication.

Use Case: Services or daemons that need to access APIs without a signed-in user, such as background jobs or inter-service communication.

On-Behalf-Of Flow

This flow is essential for scenarios where a service needs to call another service, and it needs to do so with the original user's identity and permissions.

  1. A client application calls a first-tier service (e.g., a web API) on behalf of a user, presenting the user's Access Token.
  2. The first-tier service needs to call a second-tier service (e.g., a downstream API) to fulfill the request.
  3. The first-tier service uses the user's Access Token to request a new Access Token from Azure AD for the second-tier service. This is the "On-Behalf-Of" part.
  4. Azure AD validates the token and issues a new Access Token scoped for the second-tier service, representing the original user's identity.
  5. The first-tier service uses this new token to call the second-tier service.

Use Case: Multi-tiered applications where a front-end service needs to call back-end services while maintaining the user's context.

Device Code Flow

This flow is designed for input-constrained devices like smart TVs, IoT devices, or command-line tools where a user cannot easily log in through a browser.

  1. The client application on the device initiates the flow and displays a short code and a URL to the user.
  2. The user visits the URL on a separate, internet-connected device (like a smartphone or computer) and enters the short code.
  3. The user logs into Azure AD on the separate device and grants permission.
  4. The client application on the device periodically polls Azure AD to check if the user has completed the login process.
  5. Once authorized, the client application receives tokens to access protected resources.
Device Code Flow Diagram

Device Code flow for input-constrained devices.

Use Case: Smart home devices, gaming consoles, CLI tools, and any application where interactive browser-based login is not practical.

OAuth 2.0 & OpenID Connect

Azure AD identity flows are implementations of the OAuth 2.0 framework and OpenID Connect (OIDC).

  • OAuth 2.0 is an authorization framework that provides a way for applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, or Google. It focuses on authorization (granting access).
  • OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0. It allows clients to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user. It focuses on authentication and provides the ID Token.

Azure AD uses these standards to provide a flexible and secure way to manage access to your applications and resources.

Security Considerations

When implementing identity flows, several security best practices should be followed:

  • HTTPS Everywhere: All communication must be over HTTPS to prevent interception of credentials and tokens.
  • Validate Tokens: Always validate the signature and issuer of incoming tokens to ensure they are legitimate.
  • Use PKCE for Public Clients: For native apps and SPAs (public clients), always use Proof Key for Code Exchange (PKCE) with the Authorization Code flow.
  • Secure Client Secrets: If using flows that require client secrets (like Client Credentials), store them securely and never expose them in client-side code.
  • Least Privilege: Request only the scopes that your application truly needs.
  • Token Expiration: Be aware of token lifetimes and implement refresh token logic securely.
  • Redirect URI Validation: Ensure Azure AD is configured with exact, specific redirect URIs. Avoid wildcard URIs.

PKCE is Crucial

For single-page applications and mobile apps, the Authorization Code Flow with PKCE is the recommended and most secure option. It mitigates the authorization code interception attack.

Conclusion

Understanding Azure AD's identity flows is fundamental to building secure, modern applications that leverage cloud identity management. By choosing the appropriate flow for your application's needs and adhering to security best practices, you can ensure a robust and trustworthy authentication and authorization experience for your users.

Whether you're building a web app, a mobile app, or a backend service, Azure AD provides the tools and standards to manage identities effectively. Keep exploring and experimenting to master these essential concepts!