@rameshjanjyam Thanks for your feedback! We will investigate and update as appropriate.

hello @rameshjanjyam can you clarify your ask? Are you asking for more clarification in regards to this document?

I suggest taking a look at the github repo's documentation as well : https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/

I agree though there are some items here that need to be taken a look at, and it can definitely be improved.

@jmprieur could you please help in regards to this matter?

Things seem to have changed. Looking at it

On the App Registration part of the Azure portal, it warns against turning ID tokens:

Implicit grant
Allows an application to request a token directly from the authorization endpoint. Recommended only if the application has a single page architecture (SPA), has no backend components, or invokes a Web API via JavaScript. Learn more about the implicit grant flow

To enable the implicit grant flow, select the tokens you would like to be issued by the authorization endpoint:

[ ] Access tokens
[ ] ID tokens

This definitely needs to be explained.

ASP.NET Core needs the IDToken to evaluate the identity of the user, which is why IDToken is used. We are discussing about the portal UX which should not put IDToken in the implicit flow category (as obvisouly it can be used for other cases, like the Auth Code flow)

please-close

I apologize for bothering you @jmprieur , but I am trying to understand the distinction between IDToken and Implicit Grant Flow. Does enabling IDToken expose my application to the risks that led to the IETF deprecating the use of the Implicit Grant Flow, or do those risks only apply if I additionally enable access tokens?

Thank you for your time

@DanielThomasHealy it's perfectly ok to request an ID token. This is not the implicit flow in that case (even if the portal does present it as such as the moment. We are fixing this, BTW).
What we don't do is request an implicit flow access token (which would expose your application).

@jmprieur It looks like the portal still presents it this way, and the manifest does as well (since the property is called oauth2AllowIdTokenImplicitFlow). Is there a timeline for this to be corrected? Failing that, or if it's faster, can some clarification also be added to the documentation at https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow? Thank you!

@baf I don't know for the portal changes yet. But we've ensured that Microsoft.Identity.Web does not require the ID Token for Azure AD web apps calling web APIs (it's still needed for Azure AD B2C web applications calling web APIs)

This change will be Microsoft.Identity.Web 1.0.0 (GA version) which should be available before the end of the month. We'll change the quickstart as well.

cc: @mmacy @jennyf19 @henrik-me

please-reopen

Thanks very much for the quick reply, @jmprieur!

@jmprieur reopening this one

We're having a discussion with the portal to change the wording and making it clear that this is not implict flow, but hybrid flow. This is in the pipe. Proposing to close this issue, now.

please-close