Scenario: Single-page application
Learn all you need to build a single-page application (SPA). For instructions regarding Azure Static Web Apps, see Authentication and Authorization for Static Web Apps instead.
The Microsoft identity platform provides two options to enable single-page applications to sign in users and get tokens to access back-end services or web APIs:
OAuth 2.0 Authorization code flow (with PKCE). The authorization code flow allows the application to exchange an authorization code for ID tokens to represent the authenticated user and Access tokens needed to call protected APIs.
Proof Key for Code Exchange (PKCE), is an extension to the authorization code flow to prevent authorization code injection attacks. In addition, it returns refresh tokens that provide long-term access to resources on behalf of users without requiring additional interaction from them.
To enable this scenario for your application, you need:
- Application registration with Azure Active Directory (Azure AD). The registration steps differ between the implicit grant flow and authorization code flow.
- Application configuration with the registered application properties, such as the application ID.
If you're new to identity and access management (IAM) with OAuth 2.0 and OpenID Connect, or even just new to IAM on the Microsoft identity platform, the following set of articles should be high on your reading list.
Although not required reading before completing your first quickstart or tutorial, they cover topics integral to the platform, and familiarity with them will help you on your path as you build more complex scenarios.
Move on to the next article in this scenario, App registration.