Scenario: Single-page application
Learn all you need to build a single-page application (SPA). For instructions regarding Azure Static Web Apps, see Authentication and Authorization for Static Web Apps instead.
The Microsoft identity platform provides two options to enable single-page applications to sign in users and get tokens to access back-end services or web APIs:
- OAuth 2.0 Authorization code flow (with PKCE). The authorization code flow allows the application to exchange an authorization code for ID tokens to represent the authenticated user and Access tokens needed to call protected APIs. PKCE is Proof Key for Code Exchange and is designed to prevent several attacks and to be able to securely perform the OAuth exchange from public clients. PKCE is an IETF standard documented in RFC 7636. In addition, it returns Refresh tokens that provide long-term access to resources on behalf of users without requiring interaction with those users. This is the recommended approach.
- OAuth 2.0 implicit flow. The implicit grant flow allows the application to get ID and Access tokens. Unlike the authorization code flow, implicit grant flow does not return a Refresh token.
To enable this scenario for your application, you need:
- Application registration with Azure Active Directory (Azure AD). The registration steps differ between the implicit grant flow and authorization code flow.
- Application configuration with the registered application properties, such as the application ID.
If you're new to identity and access management (IAM) with OAuth 2.0 and OpenID Connect, or even just new to IAM on the Microsoft identity platform, the following set of articles should be high on your reading list.
Although not required reading before completing your first quickstart or tutorial, they cover topics integral to the platform, and familiarity with them will help you on your path as you build more complex scenarios.
Move on to the next article in this scenario, App registration.