OAuth 2.0 auth code grant flow vs client credential grant flow

1
votes

We have a 3rd party mobile app. Which during the login process creates an access token to access one of our API(.netcore) using the Authorization code grant flow.

https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code

enter image description here

enter image description here

The mobile app displays many tiles. After login, when the user clicks on one of the tiles, I want to call another .netcore API(using the access_token).

I was planning to use client credential flow for the second API call as it does not require user interaction.

https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow

enter image description here

But the API endpoint(in the code) checks the Claims to get the userID and client credential flow creates a jwt token without the user information(as there is no user interaction).

Am I using the correct flow? Is there a way to use authorization code grant flow when clicking the tile(without needing a user interaction)?

1
.net-coreoauth-2.0azure-active-directoryopenid-connect

1 Answers

1
votes

You can only get the user information when use auth code flow which need a user interaction.

I noticed that you are using v1.0 endpoint, you can put the api uri in the resource parameter. Scope parameter isn't needed for v1.0 endpoint. You can get the access token silently after logging in.

Here is the code snippet for your reference.

 // Because we signed-in already in the WebApp, the userObjectId is know
                string userObjectID = (User.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;

                // Using ADAL.Net, get a bearer token to access the TodoListService
                AuthenticationContext authContext = new AuthenticationContext(AzureAdOptions.Settings.Authority, new NaiveSessionCache(userObjectID, HttpContext.Session));
                ClientCredential credential = new ClientCredential(AzureAdOptions.Settings.ClientId, AzureAdOptions.Settings.ClientSecret);
                result = await authContext.AcquireTokenSilentAsync(AzureAdOptions.Settings.TodoListResourceId, credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));

                // Retrieve the user's To Do List.
                HttpClient client = new HttpClient();
                HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, AzureAdOptions.Settings.TodoListBaseAddress + "/api/todolist");
                request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
                HttpResponseMessage response = await client.SendAsync(request);

Reference:

active-directory-dotnet-webapp-webapi-openidconnect-aspnetcore