OAuth using client Credential workflow without using AppRole

Question

Hi
We need to authorize the client using client credential workflow. Our company has asked us not to use AppRole since it is in preview state. Do you know when the AppRole is planned to be in full production?

if not AppRole what could be used for authorizing the client other than using azp or sub in the token. i am thinking of adding additional claims in the token to do that for eg: groupId to the token. is it the right approach? if yes then how to assign such values to the client application. Please give us the advice on this.

Regards,
Manu

Answer 1

Hi @Manu Nair · Thank you for reaching out.

Only the App roles UI is in preview. Configuring App roles by updating the manifest is Generally Available and not in preview.

You can update the application manifest with below parameters to include permission named consumer as application permission for instance, which will be returned as the value of roles claim.

"appRoles": [  
    {  
      "allowedMemberTypes": [  
        "Application"  
      ],  
      "displayName": "ConsumerApps",  
      "id": "47fbb575-0000-0000-0000-0f7a6c30beac",  
      "isEnabled": true,  
      "description": "Consumer apps have access to the consumer data.",  
      "value": "Consumer"  
    }  
  ],  

Note: When using client credentials flow, you can only use /.default scope to request for the token. E.g. I used scope https://mydomain.com/myapi/.default to acquire above token.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.