Scenario: Single-page application
Learn all you need to build a single-page application (SPA). For instructions regarding Azure Static Web Apps, see Authentication and Authorization for Static Web Apps instead.
The Microsoft identity platform provides two options to enable single-page applications to sign in users and get tokens to access back-end services or web APIs:
OAuth 2.0 Authorization code flow (with PKCE). The authorization code flow allows the application to exchange an authorization code for ID tokens to represent the authenticated user and Access tokens needed to call protected APIs.
Proof Key for Code Exchange, or PKCE, is an extension to the authorization code flow to prevent authorization code injection attacks. This IETF standard mitigates the threat of having an authorization code intercepted and enables secure OAuth exchange from public clients as documented in RFC 7636. In addition, it returns refresh tokens that provide long-term access to resources on behalf of users without requiring interaction from those users.
- OAuth 2.0 implicit flow. The implicit grant flow allows the application to get ID and Access tokens. Unlike the authorization code flow, implicit grant flow does not return a Refresh token.
To enable this scenario for your application, you need:
- Application registration with Azure Active Directory (Azure AD). The registration steps differ between the implicit grant flow and authorization code flow.
- Application configuration with the registered application properties, such as the application ID.
If you're new to identity and access management (IAM) with OAuth 2.0 and OpenID Connect, or even just new to IAM on the Microsoft identity platform, the following set of articles should be high on your reading list.
Although not required reading before completing your first quickstart or tutorial, they cover topics integral to the platform, and familiarity with them will help you on your path as you build more complex scenarios.
Move on to the next article in this scenario, App registration.
Submit and view feedback for