@SaebAmini Thank you for your feedback . We will investigate and update the thread further.

@SaebAmini Thanks for reaching out. You can try the sample listed here :
https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect

The above uses the openID Connect to authenticate the user and OAuth - Auth code flow to fetch the tokens for Graph API.
Let me know if above helps.

@vipulsparsh that project seems very old. It's not ASP.NET Core and it's targeting .NET Framework.

@SaebAmini This is the correct link :

https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC

@vipulsparsh close, but that's using the implicit flow:

Hello @SaebAmini, the sample shared above uses OpenIDConnect for Authentication, and then it uses the Auth-Code Grant flow to fetch a token from AAD. In the auth process since it is using OpenIDConnect, ID-Token is issued by AAD as a response to the auth request and on receiving the ID-Token by the app who initiated the auth-request knows that the user got successfully authenticated.

The sample above is not using Implicit flow. Implicit flow is only used for SPAs which work completely on the browser end and there is no server part available for those apps. Mostly Javascript or various implementations of Javascript like ReactJS, Angular, etc do use Implicit flow, since the all the code written in Javascript are rendered in the web-browser itself.

Since in this sample you are using ASP .Net core hence all the code that is responsible for initiating the auth request using OIDC and then fetching the token from AAD using Auth-Code Grant flow is written in the server-side component, hence Implicit flow cannot be implemented in this case. The only way to get the auth done is by using OIDC and then to fetch the token we have to use Auth-Code Grant flow.

For more information on OIDC and Auth-Code Grant Flow, please refer to the links below:

• OpenIDConnect: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
• Auth-Code Grant Flow: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

You can read more on Implicit flow here to understand where it is used mostly: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow#is-the-implicit-grant-suitable-for-my-app

Also to understand the difference between OIDC and OAUTH flows: https://stackoverflow.com/questions/1087031/whats-the-difference-between-openid-and-oauth

Hope this helps.

Please do let us know if there are any more queries or confusions in understanding these flows and with the sample so that we can help you further.

@SaebAmini To add to @souravmishra-msft's response, this is referred to as the hybrid flow. We're currently in the process of adding a section about the hybrid flow to our auth code flow article that will look something like this:

Request an ID token as well (hybrid flow)

To learn who the user is before redeeming an authorization code, it's common for applications to also request an ID token when they request the authorization code. This is called the hybrid flow because it mixes the implicit grant with the authorization code flow. The hybrid flow is commonly used in web apps that want to render a page for a user without blocking on code redemption. Both single-page apps and traditional web apps benefit from reduced latency in this model.

We're also working on clarifying this in the Azure portal's app registration pane so it's clearer that by selecting only the ID token check box (and not the Access token box), you're enabling the hybrid flow, not the implicit flow.

Cc: @jmprieur @hpsin

@souravmishra-msft thanks for your confirmation, explanation and the compilation of links. I already know what OIDC and OAuth are and how they work (I think I do anyway 🙃). My issue is with regards to the samples and documentation. OIDC supports the implicit flow and just the fact that an app is server-side isn't proof enough of the flow it is using.

I think @mmacy pointed out the crux of the issue here, which is these samples are really using a hybrid flow and not exclusively the Authorization Code grant flow.

Thanks @mmacy for adding that you're planning to improve the doco and the Azure portal, I think that'll be a great help in reducing confusion. However, as this issue is ultimately about the documentation, this discussion I think has highlighted some issues with the sample codes and documentation that I believe need to be fixed:

1. Nearly all of the "AppCreationScript"s in those samples are setting Oauth2AllowImplicitFlow to true when registering the apps. This is very confusing for a sample that's not supposed to be using the implicit flow.

   If this is to enable the hybrid flow, maybe for simplicity it could just use the auth code flow and hint that a hybrid flow is also possible for reduced latency, or otherwise call out why it's being enabled.

2. Similar issue in the README files, where it says you need to enable Implicit grant.

3. In the samples page, the used flow should be explicitly called out for each sample. This is currently the case for samples under "Desktop and mobile public client apps and Daemon/Headless apps", but not others.

4. Under "Web applications", the recent ASP.NET Core sample from @souravmishra-msft should be added, rather than under "Multi-tenant SaaS applications" which fewer people will have a look at.

5. In the "Is the implicit grant suitable for my app?" that @souravmishra-msft posted, honestly the answer should just be no or at least "not unless you really need to (i.e. supporting old browsers)", rather than "If you are planning an SPA, then it is recommended". If the current official OAuth Security Best Practice and other auth leading experts say it's old and not a good idea and there's little to no reason to not just use the auth code grant flow + PKCE, then it's good for Microsoft's docs to be updated as well.

6. A page/section on the hybrid flow, why it's useful and security considerations would be great.

@SaebAmini This is _exactly_ the type of constructive feedback we always hope for - thank you! :medal_sports:

1. & 2. Would you be willing to open issues in the affected sample repo(s) so the team that owns the sample(s) can track and address? Definitely feel free to cross-link this issue for context if you do so.

2. Funny you mention that - there's a work item (PBI 1194716) that's just been picked up to revamp that article to establish consistency across all tables within it. I'll specify token grant flow as a required column for all tables.

3. Per #3 above, there will likely be significant refactoring of the tables and there may be consolidation. I foresee opportunities to simplify the view yet at the same time more clearly represent samples that apply to multiple app scenarios.

4. Should be addressed by https://github.com/MicrosoftDocs/azure-docs-pr/pull/135679 by @hpsin (private repo, may 404 for you)

5. Should be addressed by https://github.com/MicrosoftDocs/azure-docs-pr/pull/137929 by @hpsin (private repo, may 404 for you)

I'm going to pass this one over to @hpsin for consideration in #5 and #6 as those will land first. Once those are merged, I'll take it back for taking #3 and #4 into account on PBI 1194716.

reassign:hpsin

@mmacy and that's exactly the type of response and outcome I was hoping for 🙂 Thank you for your detailed answer and sharing your plan on how these points will be addressed. Happy to raise 1 and 2 on the respective repos.