Request OAuth2.0 token using azure app services managed identity

Tan Soon Chek 0 Reputation points
2024-04-19T05:19:21.3666667+00:00

Hi All,

I have a question on Azure App Service Managed Identity.

Currently we are working on an API project where it provide the function to interact with user in Azure Entra thru Microsoft Graph API calling. To protect the API function, we have a function for user to use ROPC flow authentication to request a token from https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token. Currently we are providing the app registration's client ID and client secret in the request.

Our question is, can we exclude app registration, use only the app service managed identity in the process of requesting ouath2.0 token? If yes how do we do that? if no any document/article supported for it?

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,242 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,844 questions
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,390 questions
ASP.NET API
ASP.NET API
ASP.NET: A set of technologies in the .NET Framework for building web applications and XML web services.API: A software intermediary that allows two applications to interact with each other.
306 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,042 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Bruce (SqlWork.com) 57,966 Reputation points
    2024-04-20T22:10:11.5433333+00:00

    The user is not supposed to call the azure login endpoint. Your application is supposed to call the endpoint.

    The user calls an application endpoint passing username and password and maybe scopes. The application calls the graph api and returns the token, which should be usable to call the api.

    the password flow is used when the user can not use a browser to login, but wants to login to the app directly with their username password.

    You should just expose the endpoint, not your clientid and secret.