Note : With this blogpost approach, You no need to Add Azure AD as Identity Provider in the
SAP BTP, Cloud Foundry environment account i.e Integrate Microsoft Azure AD with SAP BTP, Cloud Foundry environment
ENDPOINTS | |
Value | Description |
common | Allows users with both personal Microsoft accounts and work/school accounts from Azure AD to sign into the application. |
organizations | Allows only users with work/school accounts from Azure AD to sign into the application. |
consumers | Allows only users with personal Microsoft accounts (MSA) to sign into the application. |
REQUEST AN AUTHORIZATION CODE | ||
Parameter | Required/optional | Description |
tenant | required | The {tenant} value in the path of the request can be used to control who can sign into the application. The allowed values are common, organizations, consumers, and tenant identifiers. For more detail, see protocol basics. Critically, for guest scenarios where you sign a user from one tenant into another tenant, you must provide the tenant identifier to correctly sign them into the resource tenant. Here The directory tenant that you want to request permission from. This can be in GUID or friendly name format. If you don't know which tenant the user belongs to and you want to let them sign in with any tenant, use common. |
client_id | required | The Application (client) ID that the Azure portal – App registrations experience assigned to your app. |
response_type | required | The addition of id_token indicates to the server that the application would like an ID token in the response from the /authorize endpoint. Must include code for the authorization code flow. Can also include id_token or token if using the hybrid flow. |
redirect_uri | required | The redirect_uri of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect_uris you registered in the portal, except it must be url encoded. For native & mobile apps, you should use one of the recommended values - https://login.microsoftonline.com/common/oauth2/nativeclient (for apps using embedded browsers) or http://localhost (for apps that use system browsers). |
scope | required | A space-separated list of scopes that you want the user to consent to. For the /authorize leg of the request, this can cover multiple resources, allowing your app to get consent for multiple web APIs you want to call. The value passed for the scope parameter in this request should be the resource identifier (application ID URI) of the resource you want, affixed with the .default suffix. For the Microsoft Graph example, the value is https://graph.microsoft.com/.default. This value tells the Microsoft identity platform that of all the direct application permissions you have configured for your app, the endpoint should issue a token for the ones associated with the resource you want to use. To learn more about the /.default scope, see the consent documentation. A web API can give users the power to opt in or opt out of specific functionality or data by exposing permissions, also known as scopes. For a calling app to acquire permission to a scope, the user must consent to the scope during a flow. The Microsoft identity platform asks the user for permission, and then records permissions in all access tokens that the web API receives. The web API validates the access tokens it receives on each call and performs authorization checks. Example = scope: openid offline_access profile User.Read Calendars.Read.Shared Calendars.ReadWrite MailboxSettings.Read Calendars.Read Calendars.ReadWrite Mail.ReadWrite |
response_mode | recommended | Specifies the method that should be used to send the resulting token back to your app. Can be one of the following: - query - fragment - form_post Defaults to query for just an authorization code, but fragment if the request includes an id_token response_type. However, apps are recommended to use form_post, especially when using http://localhost as a redirect URI. query provides the code as a query string parameter on your redirect URI. If you're requesting an ID token using the implicit flow, you can't use query as specified in the OpenID spec. If you're requesting just the code, you can use query, fragment, or form_post. form_post executes a POST containing the code to your redirect URI. |
state | recommended | A value included in the request that will also be returned in the token response. It can be a string of any content that you wish. A randomly generated unique value is typically used for preventing cross-site request forgery attacks. The value can also encode information about the user's state in the app before the authentication request occurred, such as the page or view they were on. Example state = 12345 |
Nonce | A value included in the request, generated by the app, that will be included in the resulting id_token as a claim. The app can then verify this value to mitigate token replay attacks. The value is typically a randomized, unique string that can be used to identify the origin of the request. Example Nonce = abcde | |
prompt | optional | Indicates the type of user interaction that is required. The only valid values at this time are login, none, consent, and select_account. - prompt=login will force the user to enter their credentials on that request, negating single-sign on. - prompt=none is the opposite - it will ensure that the user isn't presented with any interactive prompt whatsoever. If the request can't be completed silently via single-sign on, the Microsoft identity platform will return an interaction_required error. - prompt=consent will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app. - prompt=select_account will interrupt single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. |
login_hint | Optional | You can use this parameter to pre-fill the username and email address field of the sign-in page for the user, if you know the username ahead of time. Often, apps use this parameter during reauthentication, after already extracting the login_hint optional claim from an earlier sign-in. |
domain_hint | optional | If included, it will skip the email-based discovery process that user goes through on the sign-in page, leading to a slightly more streamlined user experience - for example, sending them to their federated identity provider. Often apps will use this parameter during re-authentication, by extracting the tid from a previous sign-in. |
code_challenge | recommended / required | Used to secure authorization code grants via Proof Key for Code Exchange (PKCE). Required if code_challenge_method is included. For more information, see the PKCE RFC. This is now recommended for all application types - both public and confidential clients - and required by the Microsoft identity platform for single page apps using the authorization code flow. |
code_challenge_method | recommended / required | The method used to encode the code_verifier for the code_challenge parameter. This SHOULD be S256, but the spec allows the use of plain if for some reason the client cannot support SHA256. If excluded, code_challenge is assumed to be plaintext if code_challenge is included. The Microsoft identity platform supports both plain and S256. For more information, see the PKCE RFC. This is required for single page apps using the authorization code flow. |
SUCCESSFUL RESPONSE | |
Parameter | Description |
code | The authorization_code that the app requested. The app can use the authorization code to request an access token for the target resource. Authorization_codes are short lived, typically they expire after about 10 minutes. |
state | If a state parameter is included in the request, the same value should appear in the response. The app should verify that the state values in the request and response are identical. |
Name= name of connection Type = HTTP URL = https://graph.microsoft.com/ Type = Internet Authentication = OAuth2ClientCredentials <Chose as per your business application architecture> Client ID =<Ask your Azure AD Admin> Client Secret = <Ask your Azure AD Admin> Token Service URL = https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize Additional Properties scope = https://graph.microsoft.com/.default state = 12345 Nonce = abcde response_mode = query response_type = code redirect_uri = <Enter redirectUrl , Azure Admin configured in Azure Potral > |
Parameter | Required/optional | Description |
tenant | required | Ask your Azure portal Admin The {tenant} value in the path of the request can be used to control who can sign into the application. The allowed values are common, organizations, consumers, and tenant identifiers. For more detail, see protocol basics. |
client_id | required | Ask your Azure portal Admin.The Application (client) ID that the Azure portal – App registrations page assigned to your app. |
scope | optional | A space-separated list of scopes. The scopes must all be from a single resource, along with OIDC scopes (profile, openid, email). For a more detailed explanation of scopes, refer to permissions, consent, and scopes. This is a Microsoft extension to the authorization code flow, intended to allow apps to declare the resource they want the token for during token redemption. |
code | required | The authorization_code that you acquired in the first leg of the flow. |
redirect_uri | required | The same redirect_uri value that was used to acquire the authorization_code. |
grant_type | required | Must be authorization_code for the authorization code flow. grant_type = authorization_code |
code_verifier | recommended | The same code_verifier that was used to obtain the authorization_code. Required if PKCE was used in the authorization code grant request. For more information, see the PKCE RFC. |
client_secret | required for confidential web apps | Ask your Azure portal Admin The application secret that you created in the app registration portal for your app. You shouldn't use the application secret in a native app or single page app because client_secrets can't be reliably stored on devices or web pages. It's required for web apps and web APIs, which have the ability to store the client_secret securely on the server side. Like all parameters discussed here, the client secret must be URL-encoded before being sent, a step usually performed by the SDK. For more information on uri encoding, see the URI Generic Syntax specification. The Basic auth pattern of instead providing credentials in the Authorization header, per RFC 6749 is also supported. |
Parameter | Required | Description |
client_id | required | The Application ID that the registration portal assigned your app. |
grant_type | required | Must be refresh_token. |
scope | required | A space-separated list of permissions (scopes). The permissions requested must be equivalent to or a subset of the permissions requested in the original authorization_code request. |
refresh_token | required | The refresh_token that you acquired during the token request. |
redirect_uri | required | The same redirect_uri value that was used to acquire the authorization_code. |
client_secret | required for web apps | The application secret that you created in the app registration portal for your app. It should not be used in a native app, because client_secrets cannot be reliably stored on devices. It is required for web apps and web APIs, which have the ability to store the client_secret securely on the server side. |
Parameter | Description |
access_token | The requested access token. The app can use this token in calls to Microsoft Graph. |
token_type | Indicates the token type value. The only type that Azure AD supports is Bearer |
expires_in | How long the access token is valid (in seconds). |
scope | The permissions (scopes) that the access_token is valid for. |
refresh_token | Refresh Tokens can also expire A new OAuth 2.0 refresh token. You should replace the old refresh token with this newly acquired refresh token to ensure your refresh tokens remain valid for as long as possible. |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
13 | |
10 | |
10 | |
7 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |