Summary of Azure Active Directory OAuth2 Authorization Grant and OIDC Authentication Flow Uses

A while back I needed a summary of which protocols were supported/recommended in different situations by Azure Active Directory while I was researching the “When To Use Which (OAuth2) Grants and (OIDC) Flows” post. So, I am summarizing it here.

Per the information provided here, the following application types can use the following OAuth2, OIDC, WS-Federation or SAML2 authentication methods.

Web Browser to Web Application

SPA Application (authentication of end user and invoking an API)

Native Application to Web API (desktop and mobile apps)

  • OAuth 2.0 authorization code grant type with a public client

Web Application to Web API

Application Identity:

  • OAuth2 Client credentials grant

User Identity:

Daemon or Server Application to Web API

Scenario #1: Use an application identity

  • Maybe a daemon that needs to call a web API; use OAuth 2.0 client credentials grant type

Scenario #2: Use an authenticated end user identity

Image: Pattern / XoMEoX