OAuth 2.0 API
This document provides comprehensive details on how to integrate with our services using the OAuth 2.0 authorization framework. OAuth 2.0 is a delegated authorization framework that allows third-party applications to obtain limited access to user accounts on an HTTP service, such as Microsoft accounts, without exposing the user's credentials to the third party.
Core Concepts
OAuth 2.0 involves several key roles and concepts:
- Resource Owner: The user who owns the data and grants access.
- Client: The application requesting access to the user's data.
- Authorization Server: The server that authenticates the resource owner and issues access tokens after obtaining authorization.
- Resource Server: The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
- Access Token: A credential representing the authorization granted to the client.
- Scope: Defines the specific permissions the client is requesting.
Supported Flows
We support the following OAuth 2.0 grant types:
1. Authorization Code Grant
This is the most common and recommended flow for web applications. It provides the highest level of security.
Authorization Endpoint
GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
Token Endpoint
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Parameters for Authorization Request:
| Parameter | Description | Required |
|---|---|---|
client_id |
Your application's client ID. | Yes |
redirect_uri |
The URI to redirect to after authorization. Must be pre-registered. | Yes |
response_type |
Must be code for Authorization Code Grant. |
Yes |
scope |
A space-delimited list of requested scopes. (e.g., user.read offline_access) |
Yes |
state |
An opaque value used to maintain state between the request and callback. Recommended for CSRF protection. | No (but highly recommended) |
2. Client Credentials Grant
This flow is used for machine-to-machine communication where the client is acting on its own behalf, not on behalf of a user.
Token Endpoint
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Parameters for Token Request:
| Parameter | Description | Required |
|---|---|---|
client_id |
Your application's client ID. | Yes |
client_secret |
Your application's client secret. | Yes |
grant_type |
Must be client_credentials. |
Yes |
scope |
A space-delimited list of requested scopes. | No (if not specified, defaults to resource-specific permissions) |
Scopes
Available scopes define the permissions your application can request. Some common scopes include:
user.read: Allows reading the profile of the signed-in user.user.read.all: Allows reading the profiles of all users in the organization.directory.read.all: Allows reading all directory data.offline_access: Allows your application to obtain refresh tokens to access resources when the user is offline.
A full list of available scopes can be found in the API Reference.
Access Token Response
Upon successful authentication, the token endpoint returns a JSON object containing:
{
"token_type": "Bearer",
"expires_in": 3600,
"access_token": "eyJ0eXAiOiJ..."
}
token_type: The type of the token (usuallyBearer).expires_in: The lifetime of the access token in seconds.access_token: The actual access token to be used in API requests.
Making API Calls
Include the obtained access_token in the Authorization header of your HTTP requests:
Authorization: Bearer [YOUR_ACCESS_TOKEN]
state parameter in the Authorization Code Grant to prevent cross-site request forgery (CSRF) attacks. Validate the state parameter upon receiving the callback.
Refresh Tokens
To maintain access beyond the lifetime of an access token, you can use refresh tokens. Refresh tokens are obtained when requesting an access token with the offline_access scope.
Token Endpoint (for refresh)
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Parameters for Refresh Token Request:
| Parameter | Description | Required |
|---|---|---|
client_id |
Your application's client ID. | Yes |
client_secret |
Your application's client secret. | Yes |
grant_type |
Must be refresh_token. |
Yes |
refresh_token |
The refresh token obtained previously. | Yes |
scope |
A space-delimited list of scopes for the new access token. | No (if omitted, the scopes from the original refresh token are used) |