Is OAuth2 Implicit Grant required for atlas address search query api on client-side applications?

Question

Previous support: Twitter @AzureSupport sent me this link to make calls to the https://atlas.microsoft.com/search/address/json? api

Question: To use atlas address search api on a single-page app, is the correct solution to use OAuth2 Implicit Grant flow instead of secret or certificate? Note I have access to environment variables using my Netlify deployment. If this is the right solution to complete, could you elaborate on how 3-5 below can be suited for such a client-side app where using a certificate or secret is impractical?

Note: Hard to believe OAuth2 Implicit Grant is required to make this call, please let me know if I should believe it

Support link: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal

Directions from support link:

1. Create an Azure Active Directory application
2. Assign a role to the application
3. Get values for signing in (store Directory (tenant) ID + Application ID in application code... where?)
4. Certificates and secrets (here I am thinking of using OAuth2 Implicit Grant just to be able to use atlas address search api since the client would show secrets)
5. Configure access policies on resources ("select the key, secret, and certificate permissions you want to grant your application"... how does this translate to OAuth2 Implicit Grant)
6. Required permissions (Made my account a Contributor)

Thank you, Nick

Answer 1

@Nick Carducci , In case of SPA application Microsoft recommends you to use the implicit flow. In case of Implicit flow, the app secret is not needed only the application id is needed as mentioned in the sample request:

// Line breaks for legibility only  
  
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?  
client_id=6731de76-14a6-49ae-97bc-6eba6914391e  
&response_type=token  
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F  
&scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read  
&response_mode=fragment  
&state=12345  
&nonce=678910  
&prompt=none  
&login_hint=myuser@mycompany.com  

More details can be found here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow#send-the-sign-in-request

Point 5, that you mentioned is not relevant to your scenario. The support link you are following has used the example of Azure Key Vault where you would have to add the application/serviceprincial and provide proper permissions so that it can access the objects of the KeyVault i.e certificates, secrets or keys. These objects are Key Vault objects, means that are stored in the Azure Key Vault and these are not your application registration's secret or certificate.

I guess I would be able to help you further if you can share the actual document that you are following for using this https://atlas.microsoft.com/search/address/json? api

Ideally the major steps are:

1. When an application wants to access any API that is protected by AAD, you would need to get a token from AAD for that api.
2. If SPA application, Implicit flow is what is preferred to fetch a token from AAD for that resource i.e the api
3. Once you have the token for that api issued by AAD, you can make a request to the API and send that token as bearer to fetch the details from the api.

Hope this helps. Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

Answer 2

You can use either shared key or AAD identity. Both options are available to you.
https://learn.microsoft.com/en-us/azure/azure-maps/azure-maps-authentication