Azure OAuth 2.0 Authentication and Authorization Tutorial

Azure OAuth 2.0 is a popular authentication and authorization framework that allows users to securely access multiple applications using a single set of credentials.

To get started with Azure OAuth 2.0, you need to register your application in the Azure portal and obtain a client ID and client secret.

The client ID is a unique identifier for your application, while the client secret is a sensitive piece of information that should be kept confidential.

You can use the Azure portal to manage your application's permissions and configure OAuth 2.0 settings, such as the authorization flow and token endpoint.

To set up Azure OAuth, you must first register a new application by using App registrations in the Azure Portal. This will give you a client ID and client secret, which you'll need to configure your OAuth 2.0 client.

To register an Azure application, sign in to the Azure portal, switch to the desired tenant, and register an application. Save the client ID and client secret, as they are only displayed once.

You'll also need to configure a client application by copying the Application (client) ID, creating a client secret, and authorizing your client application. This will involve setting the Application ID URI and defining the scope to restrict client access.

Here's a quick rundown of the steps:

To configure a client application in Azure Active Directory, you need to register it and obtain an Application (client) ID and a client secret. This ID and secret will be used to link the client to the web service and to configure the request authentication.

First, open the Azure Active Directory service, and in App registrations, open the registration of your client application. Copy the Application (client) ID to a safe place, as you will need it to link the client to the web service.

Next, in the Client Credentials Grant type, you will need a client secret. To get it, open the Certificates & secrets page and click New client secret. Add a short description and click Add, then copy the generated value to a safe place.

Here are the steps to follow:

By following these steps, you will be able to configure a client application in Azure Active Directory and obtain the necessary IDs and secrets to link it to the web service and to configure the request authentication.

To access more user fields, you'll need to configure the user endpoints. Click to configure the user endpoints, and then edit or create an endpoint called 'userinfo_endpoint'.

You'll need to enter the following URL: https://graph.microsoft.com/v1.0/me/?$select=department,displayName,givenName,jobTitle,userPrincipalName,surname,mail. This will override the existing fields, so make sure to include userPrincipalName and mail as a minimum.

To map these fields, you'll need to include each of the fields you wish to return in the comma-separated list after the $select parameter.

For Azure OAuth setup, you should be aware of the available OAuth models. Microsoft Entra ID OAuth is the recommended model for new OAuth 2.0 apps.

Azure DevOps OAuth 2.0 is slated for deprecation in 2026, which means it will no longer be supported. This is why you should start using Microsoft Entra ID OAuth for new apps.

Starting in February 2025, we will stop accepting new Azure DevOps OAuth apps. This is a good time to make the switch to Microsoft Entra ID OAuth.

If you're using GitLab 17.0 or later, you'll need to migrate to the Generic OpenID Connect configuration if you're currently using azure_oauth2.

This migration process requires deleting the identity to release the extern uid, which can be done by running a specific command.

In Moodle, creating an OAuth2 Microsoft service involves copying the OpenID Connect metadata document endpoint URL from the list of endpoints in GitLab.

You'll need to copy the URL up to and including "v2.0", and make sure to include the trailing slash.

To complete the configuration, paste the endpoint in the 'Service base URL' field of the OAuth2 Microsoft service in Moodle.

Don't forget to define the issuer's endpoints correctly in Site administration > Server > Server > OAuth 2 services and then Configure endpoints in the Edit column of Microsoft services.

API Scopes and Permissions are crucial for Azure OAuth. To specify what scopes you need for your app, look under the scopes header on the API Reference page for each API you're using.

Developers are expected to specify what scopes they require from their users. Scopes only enable access to REST APIs and select Git endpoints. SOAP API access isn't supported.

To find the minimal number of scopes you need, consider what scopes are inclusive of other scopes. For example, vso.code_manage includes vso.code_write. Many scopes inherit from vso.profile.

Some scopes are available via delegated (on-behalf-of user) flows only. These scopes are available on both OAuth models. To add API permissions, you can alternatively add the User.Read.All application permission.

To set up a Snowflake OAuth Resource in Azure AD, you need to expose an API and add a scope. For example, you can add a scope named session:role-any, which allows Snowflake users to use any role they are granted.

Here's a summary of the available scopes: