Wednesday, October 28, 2020

Access token endpoint versions in Azure AD

You might have noticed that there are two different urls that you can use for retrieving an access token in Azure AD:

  • https://login.microsoftonline.com/<tenantid>/oauth2/token
  • https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/token
And although most of the time it is better to use the more recent version, I did wanted to know the difference between both. After deciding that in this case google was not my friend I reached out a colleague @KevinDockx  (Definitely check out his Pluralsight training Microsoft Azure for .NET developers - Building secure services and applications )



Evolution of Microsoft identity platform explains how Azure AD developer platform evolved towards the new Microsoft identity platform. In short the /oauth/token endpoint is part of Azure AD for developers and /oauth2/v2.0/token is linked to Microsoft identity platform.



If you need to decide whether to use Microsoft identity platform (v 2.0) or Azure Active Directory (v1.0) endpoints - definitely take a look at Why update to Microsoft platform (v2.0) and check out the limitations section as well.

In short try to use the v2 as much as possible since it provides more features and is more in line with common standards. The v1 endpoints will still exist for quite a while and as far as I know there is no end of life announced (yet) but Microsoft did already announce the deprecation of the Azure Active Directory Authentication Library (ADAL) - see Migrate applications to Microsoft Authentication Library (MSAL). Everything evolves quite fast and there even is a newer alternative for MSAL called Microsoft Identity Web 

You might also take a look at OpenID Connect (OIDC) which is an authentication protocol built on OAuth 2.0 since Microsoft Identity platform is compliant with this standard as well - see Microsoft identity platform and OpenID Connect protocol for more details

References:

No comments: