Azure Active directory has two OAuth endpoints - v1 and v2. Ideally, you'd want to use v2, but it has some limitations, e.g. if your application relies on SAML, you'll have to use v1.
The main difference between v1 and v2 is that v1 uses resources and v2 uses scopes for access management.
V1 does not specify a revocation endpoint because the access token are not revokable. Therefore revoke functionality doesn't work.
See the Azure docs on requesting an access token for more info on additional parameters.
Please Note:
- The Azure docs recommend
'urn:ietf:wg:oauth:2.0:oob'as theredirectUrl. Scopesis ignored.additionalParameters.resourcemay be required based on the tenant settings.
const config = {
issuer: 'https://login.microsoftonline.com/your-tenant-id',
clientId: 'your-client-id',
redirectUrl: 'urn:ietf:wg:oauth:2.0:oob',
additionalParameters: {
resource: 'your-resource'
}
};
// Log in to get an authentication token
const authState = await authorize(config);
// Refresh token
const refreshedState = await refresh(config, {
refreshToken: authState.refreshToken,
});The V2 endpoint follows the standard OAuth protocol with scopes. Detailed documentation here.
const config = {
issuer: 'https://login.microsoftonline.com/your-tenant-id/v2.0',
clientId: 'your-client-id',
redirectUrl: 'urn:ietf:wg:oauth:2.0:oob',
scopes: ['openid', 'profile', 'email', 'offline_access']
};
// Log in to get an authentication token
const authState = await authorize(config);
// Refresh token
const refreshedState = await refresh(config, {
refreshToken: authState.refreshToken,
});