question

KiranKumarCW-9262 avatar image
0 Votes"
KiranKumarCW-9262 asked amanpreetsingh-msft commented

What is the other best oauth flow can be used instead of client grant flow for service to service interactions

Our app which consists of micro services and for these microservices we are using azure ad oauth client credentials
flow for authorizing our clients. We registered each micro service in azure ad and adding custom roles to them and
we are trying to add these application permissions to our client apps who consuming our services. We were unable
to add these permission as we got blocked with admin permissions and unable to see roles in jwt a token.

In this process, we tried to get graph API permission AppRoleAssignment to add those permissions to our client apps.
Unfortunately, due to security issue our organization unable to give admin permissions to add application permissions
through graph API as AppRoleAssignment gives an SPN the ability to assign a given role to an app. So it gives it a broad
role to really effectively turn itself or any other SPN to a Global Admin. What is the alternative way to use an azure ad oauth
for service to service interaction with out the need of admin grant permissions?? Can we use authorization code flow with oauth scopes, but it is asking users to sign in to get the code?

azure-active-directoryazure-ad-domain-servicesazure-ad-app-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @KiranKumarCW-9262 · Thank you for reaching out.

The Oauth flow recommended for service to service interaction is Client Credentials grant as other authentication flows utilize user context and not application context. Most of the code samples that we have published for Daemon apps are based on Client Credentials grant only.

However, if your microservices are hosted on a platform listed in below document, you may consider using Managed Identity as an alternative.
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @KiranKumarCW-9262 · Just checking if above response helped or if you have any further questions.

0 Votes 0 ·