OAuth and OpenID

Start course


This course covers the Secure Resources part of the 70-534 exam, which is worth 20-25% of the exam. The intent of the course is to help fill in an knowledge gaps that you might have, and help to prepare you for the exam.


Welcome back in this lesson we'll pick up with our discussion of Azure Active directory however we're gonna be specifically talking about OAuth2 and OpenID connect.

This isn't going to be a long lesson though Azure AD is build on open web standards, it makes sense to talk about these things since they're important to the functionality.

Let's start out with a description of Oath. It's an authorization protocol and not an authentication protocol.

The difference is that because if the user has granted permission to some scope even a limited one, than they've proved they are who they say they are implicitly. So while developers may use this authentication mechanism, It's a layer that sits on top of OAuth2 and facilitates authentication.

OAuth works based on access tokens, which allow one party to access resources owned by another. Azure AD uses OAuth2 and actually anyone using OAuth really should be using OAuth 2 for security reasons. Let's run through the basic Oauth 2 authorization workflow.

Here's a scenario, we have an internet application for a customer service team that needs to read the user's email. The application uses machine learning to determine how best to help the customer.

So customer service reps browse to our app, and for the first time they're there, they're presented with a pop-up screen asking them to log in with their existing credentials. Then they're prompted to authorize the application to have read access to their email.

Once they agree, an authorization token is sent back and with that we can request an access and a refresh token. Once we have an access token we can make requests to the API so that we can fetch the data that we need. And then the authorization header of the request will add that access token.

And that'll allow us to access whatever data the user has given us authorization to. However, at some point it's going to expire. And that's what the refresh token is used for. It will allow us to obtain new access tokens by providing the refresh token.

Okay this diagram may look a bit involved, but at it's core it's really not that bad. Alright, no matter how much detail we go into here this is something that you need to get your hands dirty with.

So I recommend that you check out these articles from Microsoft on the subject. These are gonna be short in URLs so it's going to be case sensitive. The first is This is going to give you a bit more detail on the request and response objects. These are things like error messages.

And the second is going to be [inaudible]. This is going to explain some different scenarios as well as how you'd architect the authorization workflow. It covers things such as single page application native applications to web API among others.

Alright I recommend that you go try these for yourself. Fetch some data, trigger some failures try and understand some issues that our developers are going to run into.

In our next lesson we're going to be talking about Hybrid Identities, so if you're ready to learn more let's get started with the next lesson.

About the Author

Learning paths17

Ben Lambert is the Director of Engineering and was previously the lead author for DevOps and Microsoft Azure training content at Cloud Academy. His courses and learning paths covered Cloud Ecosystem technologies such as DC/OS, configuration management tools, and containers. As a software engineer, Ben’s experience includes building highly available web and mobile apps.

When he’s not building the first platform to run and measure enterprise transformation initiatives at Cloud Academy, he’s hiking, camping, or creating video games.