Share via

OAuth 2.o grant-type: Authorization Code

Kodie Vincent 0 Reputation points
2025-11-25T23:55:37.1066667+00:00

Hi,

I am trying to create a pipeline that interacts with an endpoint that uses OAuth 2.0; however, it requires a grant_type=authorization_code, which I can only assume is granted once the admin user logs in and retrieves it. My question is how have people worked around this in Azure Data Factory, Im reasonably new to ADF and have heard that creating a function app might be able to do this, but im struggling to understand how. I am using the new fabric version of ADF.

Any feedback or help is much appreciated!

Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-25T23:56:45.6733333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To work with OAuth 2.0 authorization code grant type in Azure Data Factory (ADF), you typically need to follow these steps:

    1. User Authentication: The user must first authenticate to obtain the authorization code. This usually involves redirecting the user to the authorization endpoint where they log in and grant permissions.
    2. Request Authorization Code: After the user logs in, the authorization server will redirect back to your specified redirect_uri with an authorization code. This code is short-lived and can be used to request an access token.
    3. Exchange Authorization Code for Access Token: You will need to send a request to the token endpoint to exchange the authorization code for an access token. This typically involves a POST request that includes the client_id, client_secret, redirect_uri, and the code you received.
    4. Using the Access Token: Once you have the access token, you can use it to authenticate requests to the API endpoint.

    As for using Azure Data Factory, you can create a Function App to handle the OAuth flow. The Function App can manage the redirection and token exchange process. Here’s a high-level overview of how you might set this up:

    • Create a Function App: This will serve as the backend to handle the OAuth flow.
    • Implement the Authorization Code Flow: In your Function App, implement the logic to redirect users to the authorization endpoint, handle the callback to retrieve the authorization code, and exchange it for an access token.
    • Integrate with ADF: Once the Function App retrieves the access token, you can call it from your ADF pipeline to get the token and use it for subsequent API calls.

    This approach allows you to automate the token retrieval process without manual intervention each time the token is needed.

    For more detailed guidance, you may want to refer to the Azure documentation on OAuth 2.0 and Azure Data Factory.

    References:

    0 comments
  2. Adam Zachary 2,025 Reputation points
    2025-11-26T03:36:16.3366667+00:00

    I’ve dealt with this a few times, and the short version is: ADF cannot handle the authorization_code flow on its own, because that flow requires an interactive login to get the first refresh token. Pipelines can only run with non-interactive flows.

    The way solve this:

    1. Do the first authorization manually once. An admin logs in, authorizes the app, and you capture the initial refresh_token.

    2. Store that refresh token securely (Key Vault).

    3. Use ADF (or a Function App) to exchange that refresh token for new access tokens automatically. ADF can repeatedly call the token endpoint with: grant_type=refresh_token → returns a new access_token every run.

    You never use authorization_code again after the first manual login.

    If your endpoint absolutely requires authorization_code every time, then yes, you’d need a custom Function App or API that handles the OAuth handshake, stores the refresh token, and returns access tokens back to ADF. But in most cases, once the refresh token is obtained, ADF can run the pipeline normally

    0 comments
  3. Swapnesh Panchal 1,380 Reputation points Microsoft External Staff Moderator
    2025-12-04T00:53:26.68+00:00

    Hi @Kodie Vincent,
    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    Azure Data Factory cannot natively perform the OAuth 2.0 authorization_code flow because this grant type is designed for interactive user sign-in via a browser and redirect URI. Pipelines run headless and do not support browser-based login or redirect handling.

    ADF cannot directly handle interactive OAuth flows. The best solution is to use client_credentials if available or introduce an intermediate service to manage tokens.

    authorization_code requires a user to log in and consent, then exchange a short-lived code for tokens. ADF pipelines are non-interactive and typically authenticate using service identities such as managed identity or service principal.

    Recommended approaches:

    1. Ask the API owner for a non-interactive flow If the API supports client_credentials, you can configure ADF to use a service principal or managed identity in an HTTP/REST linked service.
    2. Use an intermediate component (Function App or Logic App)
    3. Manual token handling (least recommended) Perform the flow externally, store a refresh token in Key Vault, and have ADF use it for API calls. This requires an operational process to refresh tokens periodically.

    Please let us know in the comments if you have any further questions or would like to continue the discussion. We’ll be happy to assist.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.