Which OAuth2.0 authentication flow shall I choose ?

Question

I am looking for a best practice advice for a particular use case at hand :

We are small company which manages smart rooms, room bookings for our clients from a device installed in meeting rooms located in customer physical space. Until now, we have been using basic authentication toward EWS APIs but as the deadline for deprecating basic authentication is approaching soon we are working on migrating to using Microsoft Graph APIs.
Having said that, I have been looking into various Oauth 2.0 flows in connection to authenticating and authorizing. Here are the use cases:

1. By default room device/Touch controllers should show room calendar at all times. No authentication should be required
   In order to achieve this, I'm planning to add a confidential client flow where application has a client id and or certificate/secret used to poll room calendar in a
   fixed interval. I believe that with this approach, I can have long a running session to avoid any authentication.
2. When authenticated, Users should also be able to see their own calendar on the same device which required a short registration process, consent for using a service account as a delegate and a pin generation. So, next time user just needed a PIN to authenticate.

I'm wondering which OAuth2,0 flow can be used to address both scenarios listed above.

I'm wondering which OAuth2.0 flow fits in this scenario.

Answer 1

Client credentials flow for the API.
Authorization code flow for the user authentication.
On-Behalf-Of flow to obtain a Graph access token for the user.

You can configure access token (only) lifetimes using Azure AD policies. For refresh and session token take a look to Configure authentication session management with Conditional Access.

--
Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.