Azure AD OAuth2 implicit grant

Posted on 4/5/2015 @ 8:59 PM in #Azure by | Feedback | 4531 views

The implicit grant type is used to obtain access tokens (it does not support the issuance of refresh tokens). It is therefore perfect for public clients known to operate a particular redirection URI. Thereby making it suitable for SPA’s written in JavaScript.

Unlike the authorization code grant type, in which the client makes separate requests for authorization and for an access token, the client receives the access token as the result of the authorization request.

Most important to note, the implicit grant type does not include client authentication, and relies on the presence of the resource owner and the registration of the redirection URI. In the case of Azure AD, you are redirected to the AzureAD sign on process to perform this authentication.

This means, it is perfect for SPA’s (JavaScript), or mobile apps that don’t need remember me, but unsuitable for unattended scenarios – like – app only (services).

Applications provisioned in Azure AD are not enabled to use the OAuth2 implicit grant by default.You need to explicitly opt in. Here is how,

  1. Go to your WebAPI registered in AzureAD, go to “Configure”.
  2. Click on the Manage Manifest button, download the manifest file.
  3. Open the manifest file and search for the oauth2AllowImplicitFlow property. Default is false, change it to true.
  4. Upload this manifest file back into your web api, save.

That’s it! You are now implicit grant enabled. Party!

Sound off but keep it civil:

Older comments..