Setting up msft oauth for an app with backend server

nocap 0 Reputation points
2023-12-06T16:02:20.38+00:00

I am looking to integrate microsoft oauth with my application and am having a difficult time understanding the instructions. I have registered my app to allow for users of all account types (work, school, personal, etc) to be supported. I generate an idToken in my iOS client using MSALAuthority SDK (using authority = https://login.microsoftonline.com/common) which I am passing to my backend server. The backend will validate the idToken and use the following claims: name, email, sub, exp, iat, aud.

I am only using my Entra application to allow users to login with their microsoft account. In our backend, we grab their email and name from the token to create a user account. We don't require any other permissions or information from Microsoft. We don't request access tokens from msft as we generate our own. Can someone advise me on if this use case requires a client secret or a certificate?

Do I also need to allow public client flows (see below)? I do have a redirect URI set for my app.User's image

I've been able to generate idTokens without allow public client flows so far and I'm not sure why (I have a client secret created but I'm not passing it). Would appreciate some insight into this as well, thank you!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,970 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Navya 14,655 Reputation points Microsoft Vendor
    2023-12-07T15:32:54.61+00:00

    Hi@nocap ,

    Client secret is required for confidential web applications. If you registered your application as mobile and native or SPA page won't require. It's required for web apps and web APIs, which can store the client secret securely on the server side.

    I understand you get an Id token without passing client secret that means you are not using confidential web applications. so, in this case no need to pass client secret. You can use the client ID and redirect URI to authenticate your application. Public client flows are not required for your use case since you are not requesting access tokens.

    Before request an ID token, check below pre-requisites present in your application or not.

    1.Register your application in Microsoft Entra Id and select support account type as Accounts in any organizational directory.
    User's image

    2.Add openId scope and optionally profile and email to the application. 3.Ensure this oauth2AllowIdTokenImplicitFlow property set as True in the Manifest.

    4.Use below URL to get an IdToken
    https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=Application_Id
    &response_type=id_token
    &redirect_uri=redirect_uri
    &response_mode=fragment
    &scope=openid
    &nonce=abcde For your reference: Request an ID token
    Configure MSAL for iOS and macOS to use different identity providers
    Hope this helps. Do let us know if you any further queries.

    Thanks,
    Navya.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.