Which OAuth2.0 authentication flow shall I choose ?

Anil Kumar Dhiman 1 Reputation point

I am looking for a best practice advice for a particular use case at hand :

We are small company which manages smart rooms, room bookings for our clients from a device installed in meeting rooms located in customer physical space. Until now, we have been using basic authentication toward EWS APIs but as the deadline for deprecating basic authentication is approaching soon we are working on migrating to using Microsoft Graph APIs.
Having said that, I have been looking into various Oauth 2.0 flows in connection to authenticating and authorizing. Here are the use cases:

  1. By default room device/Touch controllers should show room calendar at all times. No authentication should be required
    In order to achieve this, I'm planning to add a confidential client flow where application has a client id and or certificate/secret used to poll room calendar in a
    fixed interval. I believe that with this approach, I can have long a running session to avoid any authentication.
  2. When authenticated, Users should also be able to see their own calendar on the same device which required a short registration process, consent for using a service account as a delegate and a pin generation. So, next time user just needed a PIN to authenticate.

I'm wondering which OAuth2,0 flow can be used to address both scenarios listed above.

I'm wondering which OAuth2.0 flow fits in this scenario.

Azure Stack Hub
Azure Stack Hub
An extension of Azure for running apps in an on-premises environment and delivering Azure services in a datacenter.
163 questions
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,775 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Alfredo Revilla (MSFT) 16,051 Reputation points Microsoft Employee

    Client credentials flow for the API.
    Authorization code flow for the user authentication.
    On-Behalf-Of flow to obtain a Graph access token for the user.

    You can configure access token (only) lifetimes using Azure AD policies. For refresh and session token take a look to Configure authentication session management with Conditional Access.

    Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.

    No comments