OAuth 2 Authorization Code grant in AzureAD
The Authorization Code grant is supported by AzureAD, but in a somewhat special way. For more information, see OAuth 2 in AzureAD.
Request
GET instanceid/oauth2/authorize?api-version=1.0&response_type=code&client_id=16caf492-f9b9-4feb-bce1-3a4d8bcf04eb&resource=https%3A%2F%2Fgraph.windows.net HTTP/1.1
Host: login.windows.net
Response:
HTTP 302 Found
Location: https://login.microsoftonline.com/login.srf?wa=wsignin1.0&wtrealm=https%3a%2f%2flogin.windows.net%2f&wreply=https%3a%2f%2flogin.windows.net%2finstanceid%2fwsfederation&wctx=value&wp=MBI_FED_SSL
The client browser is redirected to the Microsoft Online login page.
User logs in, but does not need to give any approval. After the user is authenticated, the Client browser is tricked to make a POST request back to Azure AD.
Request
POST instanceid/wsfederation HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: login.windows.net
wctx=value&wresult=*saml 1.1 assertion*&wa=wsignin1.0
Response:
HTTP 302 Found
Location: https://redirecturi/?code=abc123&session_state=ed693add-1a5f-490b-a44b-a9df1a44bf5c
Here the Client browser get the Authorization code delivered to its redirect url.
Request:
POST instanceid/oauth2/token
Content-Type: application/x-www-form-urlencoded
Host: login.windows.net
Content-Length: 624
grant_type=authorization_code&client_id=246e3879-8495-49fc-ad95-d79521b6ed94&client_secret=password1&code=abc123&session_state=7d85d7b7-b157-46c3-ae7e-9f4f2a443aa3
Parameters:
parameter | value | example |
---|---|---|
grant_type | the OAuth 2 grant type | always authorization_code in this case |
client_id | the Client id guid of the requesting client | a guid found in the management portal |
client_secret | one of the secret keys of the client application, as created in the management portal | abc123 |
code | the OAuth authorization code | abc123 |
session_state | the state guid from the session_state parameter delivered to the redirect url in the previous step |
Note that the following parameters are not necessary in this step:
- resource
- redirect_uri
Also note that the ?api-version=1.0 url parameter must be omitted, because the authorization code grant was not supported in the 1.0 version.
Response:
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
{
"access_token":"*token*",
"token_type":"Bearer",
"expires_in":"3599",
"expires_on":"1391176643",
"resource":"https://graph.windows.net",
"refresh_token":"*token*",
"scope":"62e90394-69f5-4237-9190-012177145e10",
"id_token":"*token*"
}
Now you can grab the access_token and use it for 3599 seconds.
Request:
POST /instanceid/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: login.windows.net
Content-Length: 565
grant_type=refresh_token&client_id=246e3879-8495-49fc-ad95-d79521b6ed94&client_secret=abc123&refresh_token=xyz
Parameters:
parameter | value | example |
---|---|---|
grant_type | the OAuth 2 grant type | always refresh_token in this case |
client_id | same client id that was used to get the first access token | a guid |
client_secret | one of the valid secret keys of the client | abc123 |
refresh_token | the refresh token you received along with the first access token | zzz |
Response:
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
{
"access_token":"*token*",
"token_type":"Bearer",
"expires_in":"3600",
"expires_on":"1391178126",
"resource":"https://graph.windows.net",
"scope":"62e90394-69f5-4237-9190-012177145e10"
}
Note that there is no refresh token in this response. However, the old refresh token is valid for subsequent requests.