Microsoft Identity Platform - Auth Code Flow

From PiRho Knowledgebase
Revision as of 16:20, 14 March 2026 by Dex (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

The Authorization Code Flow is the most secure OAuth 2.0 flow supported by the Microsoft Identity Platform. It is designed for confidential client applications—such as web apps and server-side components—that can safely store a client secret. This flow ensures that tokens are never exposed to the browser and that authentication takes place through a trusted backend component.

Context

Modern applications often need to authenticate users and securely request access to Microsoft resources such as Microsoft Graph, Azure APIs, and custom APIs protected by Entra ID. Because applications must operate in untrusted environments, the Authorization Code Flow exists to ensure confidentiality, integrity, and secure delegated access.

How the Authorization Code Flow Works

1. User Signs In and Receives an Authorization Code

The app redirects the user to the authorization endpoint with parameters such as client_id, redirect_uri, response_type=code, scope, and PKCE parameters. The user signs in and consents. Microsoft redirects back with an authorization code.

2. Server Exchanges the Code for Tokens

Your backend sends the authorization code to the token endpoint with client credentials and PKCE verifier. The Microsoft Identity Platform returns Access, Refresh, and ID tokens.

Where This Flow Is Used

  • Web applications with server-side components
  • Server-rendered apps
  • SPAs using a backend token broker
  • Desktop/mobile apps with PKCE

PKCE

PKCE adds protection against interception attacks by binding the authorization code to a one-time verifier.

Security Benefits

  • Tokens never exposed to the browser
  • Strong protection through PKCE
  • Short-lived access tokens and refresh tokens
  • Prevents redirection and interception attacks

Sequence Diagram (Conceptual)

``` User → App → Microsoft Login → App → Token Endpoint → App → Resource API ```

Common Pitfalls

  • Redirect URI mismatch
  • PKCE parameters missing or invalid
  • Using deprecated implicit flow
  • Incorrect token audience
  • Missing offline_access for refresh tokens

Troubleshooting

  • Invalid_client → bad secret or misconfiguration
  • Invalid_grant → wrong/expired code or PKCE mismatch
  • Consent loops → inconsistent scopes
  • 401s → wrong token audience

Related Articles

References