![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 5%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
25,081 questions
Hi @Salma • Thank you for reaching out. Please find my comments inline:
- When going to set the application to authenticate with the OpenIDConnect and register the app why Implicit flow or ID_Token are coming there. Are these flows not for authorization?
OpenIDConnect is added on the top of OAuth for authentication. So, when you are using OIDC (scope=openidin authentication request), you are expected to see ID_Token. With implicit flow, you can acquire the access token from the authorization endpoint after successful authentication. This token can then be used for Authorization purposes. - Why Implicit flow is available in Azure when it is obsolete?
Implicit flow is not yet deprecated in Azure and needs to be enabled if you have single-page applications using MSAL.js 1.It is also required for the applications that are using Hybrid authentication flows, i.e., Authorization Code flow + Implicit flow. - What would be the response type for Implicit flow?
Response type can be Code or Access Token or ID Token or both Access & ID token (response_type=token+id_token). - When the user selects Id_Token what does it mean. Does it mean the app going to be using Authorization code flow and will get a code or id token in response?
This depends on what the user is requesting in the respons_type parameter within the authentication request. If the user requests id_token in the authentication request and you have not enabled it under the Authentication blade of the application (as per your screenshot), the user will get the error:AADSTS700054: response_type 'id_token' is not enabled for the application. - Where does Client Credential fall among implicit flow and id token? I understand this we can use as a demon application but is it an implicit flow? which I think it is not correct.
Client Credential is not implicit flow. It is a separate authentication flow. Client credential flow uses application context rather than user context and id token is not issued in this case. Applications can only acquire Access token. - When using client credential what to select Implicit flow or code flow?
None of these. Please refer to Microsoft identity platform and the OAuth 2.0 client credentials flow
Click here: Sample of Implicit Authentication and check various parameters like authorization endpoint, response_type, scope, redirect_uri. Once you sign-in with your user account, you will get both Access and ID tokens in the URL. jwt.ms decodes only the first token but you can copy the URL and paste that in notepad to see both the tokens.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.