OAuth 2.0 authorization code flow with a React SPA, ASP.NET Core Web API, RBAC roles, and MSAL

Earlier this year the Microsoft Identity Platform team shared new guidance that recommends using the OAuth 2.0 Authorization Code flow for browser based web applications. The reason for this is that new browser security changes are going to cause problems for the commonly used implicit grant flow pattern.

Although I found plenty of great code samples and quickstart material for using the authorization code flow with graph API, it took me a while to figure out how to use it against an ASP.NET Core Web API. The goal of this post is to provide an end-to-end setup guide with source code for the protected web API resource scenario that uses RBAC roles.

Continue reading

How to setup the Azure AD implicit grant flow with React, ASP.NET Core, and RBAC roles

The OAuth 2.0 implicit grant flow is great way to handle authentication between a client JavaScript single page web app (SPA) and a web API. For example: a React or Angular web app that needs to authenticate users and then have those users call an authorized ASP.NET Core Web API.

Azure AD and the Microsoft identity platform have well established patterns and support for this workflow. In this blog post I will break down an end-to-end example that includes enabling this flow for AAD users with the following technologies: an Azure AD App configured with role-based access control (RBAC) claims, client side code leveraging React and ADAL.js, and server side code leveraging ASP.NET Core.

Continue reading