Copyright NoticeĬopyright (c) 2013 IETF Trust and the persons identified as the document authors. This Internet-Draft will expire on January 15, 2014. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time.
The list of current Internet-Drafts is at. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF).
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. For more information consult the online list of claimed rights. The IETF has been notified of intellectual property rights claimed in regard to some or all of the specification contained in this document.
In order to be implementable, companion specifications are necessary to provide the corresponding concrete instantiations. Note that this specification only defines abstract message flows and processing rules. The intent of this specification is to provide a common framework for OAuth 2.0 to interwork with other identity systems using assertions, and to provide alternative client authentication mechanisms. Mechanisms are specified for transporting assertions during interactions with a token endpoint, as well as general processing rules. This specification provides a framework for the use of assertions with OAuth 2.0 in the form of a new client authentication mechanism and a new authorization grant type. So what does the token contain? Let's use the jwt.Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants OAuth Working GroupĪssertion Framework for OAuth 2.0 Client Authentication and Authorization Grants You can learn about JWT format at jwt.io. The first thing Graph API does is to validate the signature, so if the token wasn't generated in a place it trusts (like Azure Active Directory Authorization Services) it will not accept the request. The token is signed (but not encrypted) which means while we can read it (for example, by using the jwt.io parser) we can't modify it. From a practical standpoint, we can think about it as a text string which contains information. So what is that access tokens are made of anyways? Well, the token is actually a JSON Web Token - a signed JSON document, passed in base 64 format (so it can be sent in the request header). To better understand that, we have to dive a little deeper into the Access tokens themselves. In most cases, instead of having the user credentials, we will have another Access Token, only issued to our application instead of the desired API.
But, in many cases, we wouldn't have access to the user password - this flow is more designed for System Accounts, where we have full control of the user. Option 2, Resource Owner Credentials Grant, allowed us to get a "delegated token" (token with both Client and User) using the User credentials. It requires a User context in order to know which directory the app sits in. The common endpoint will not work for all grant flows like Option 1 (Client credentials Grant). This, in turn, will redirect the request to the original tenant directory, so this endpoint can be used interchangeably with the direct endpoint. This is to show that we have another option - instead of using the tenant directory we can just use the common endpoint: POST Those with sharp eyes will notice another small change in the request compared to the others - the URL of authorization endpoint is different. When that happens, a new Refresh Token will be returned here so it can be used as a replacement for the old one. refresh_token: Refresh Tokens can also expire (although it may take weeks or months).access_token: The access token we needed to access the Graph API.expires_on: The token expire timestamp in Unix epoch time.We will receive a response with a JSON object containing the following properties: resource: The name of the resource we would like to get access, in this case.client_secret: The Client Secret we created in the previous step.
client_id: The Client ID (Application ID) of the application we created in the previous step.grant_type: The grant flow we want to use, refresh_token in this case.Getting an Access Token from the Refresh Token is a simple process, all we need to do is to send the following request:
Flow 3 - Get Access Token From Refresh Token (Refresh Token Grant)Īccess tokens eventually expire however, some grants respond with a refresh token which enables the client to get a new access token without requiring the user to be redirected. Welcome to the third and final post of this series! Here's where you can Part 1 and Part 2 for reference.