You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| client_id | Yes | The application ID that the [Azure portal](https://portal.azure.com/) assigned to your application. |
75
+
| nonce | Yes | A value included in the request (generated by the application) that is included in the resulting ID token as a claim. The application can then verify this value to mitigate token replay attacks. The value is typically a randomized unique string that can be used to identify the origin of the request. |
76
+
| p | Yes | The user flow that is run. It is the name of a user flow that's created in your Azure AD B2C tenant. The name of the user flow should begin with `b2c\_1\_`. |
75
77
| response_type | Yes | Must include an ID token for OpenID Connect. If your web application also needs tokens for calling a web API, you can use `code+id_token`. |
76
-
| redirect_uri | No | The `redirect_uri` parameter of your application, where authentication responses can be sent and received by your application. It must exactly match one of the `redirect_uri` parameters that you registered in the Azure portal, except that it must be URL encoded. |
77
78
| scope | Yes | A space-separated list of scopes. The `openid` scope indicates a permission to sign in the user and get data about the user in the form of ID tokens. The `offline_access` scope is optional for web applications. It indicates that your application will need a *refresh token* for extended access to resources. |
79
+
| prompt | No | The type of user interaction that's required. The only valid value at this time is `login`, which forces the user to enter their credentials on that request. |
80
+
| redirect_uri | No | The `redirect_uri` parameter of your application, where authentication responses can be sent and received by your application. It must exactly match one of the `redirect_uri` parameters that you registered in the Azure portal, except that it must be URL encoded. |
78
81
| response_mode | No | The method that is used to send the resulting authorization code back to your application. It can be either `query`, `form_post`, or `fragment`. The `form_post` response mode is recommended for best security. |
79
82
| state | No | A value included in the request that's also returned in the token response. It can be a string of any content that you want. A randomly generated unique value is typically used for preventing cross-site request forgery attacks. The state is also used to encode information about the user's state in the application before the authentication request occurred, such as the page they were on. |
80
-
| nonce | Yes | A value included in the request (generated by the application) that is included in the resulting ID token as a claim. The application can then verify this value to mitigate token replay attacks. The value is typically a randomized unique string that can be used to identify the origin of the request. |
81
-
| p | Yes | The user flow that is run. It is the name of a user flow that's created in your Azure AD B2C tenant. The name of the user flow should begin with `b2c\_1\_`. |
82
-
| prompt | No | The type of user interaction that's required. The only valid value at this time is `login`, which forces the user to enter their credentials on that request. |
83
83
84
84
At this point, the user is asked to complete the workflow. The user might have to enter their username and password, sign in with a social identity, or sign up for the directory. There could be any other number of steps depending on how the user flow is defined.
| p | Yes | The user flow that was used to acquire the authorization code. You can't use a different user flow in this request. Add this parameter to the query string, not to the POST body. |
169
168
| client_id | Yes | The application ID that the [Azure portal](https://portal.azure.com/) assigned to your application. |
170
-
| grant_type | Yes | The type of grant, which must be `authorization_code` for the authorization code flow. |
171
-
| scope | No | A space-separated list of scopes. The `openid` scope indicates a permission to sign in the user and get data about the user in the form of id_token parameters. It can be used to get tokens to your application's own back-end web API, which is represented by the same application ID as the client. The `offline_access` scope indicates that your application needs a refresh token for extended access to resources. |
169
+
| client_secret | Yes | The application secret that was generated in the [Azure portal](https://portal.azure.com/). This application secret is an important security artifact. You should store it securely on your server. Change this client secret on a periodic basis. |
172
170
| code | Yes | The authorization code that you acquired in the beginning of the user flow. |
171
+
| grant_type | Yes | The type of grant, which must be `authorization_code` for the authorization code flow. |
172
+
| p | Yes | The user flow that was used to acquire the authorization code. You can't use a different user flow in this request. Add this parameter to the query string, not to the POST body. |
173
173
| redirect_uri | Yes | The `redirect_uri` parameter of the application where you received the authorization code. |
174
-
|client_secret|Yes| The application secret that was generated in the [Azure portal](https://portal.azure.com/). This application secret is an important security artifact. You should store it securely on your server. Change this client secret on a periodic basis. |
174
+
|scope|No|A space-separated list of scopes. The `openid` scope indicates a permission to sign in the user and get data about the user in the form of id_token parameters. It can be used to get tokens to your application's own back-end web API, which is represented by the same application ID as the client. The `offline_access` scope indicates that your application needs a refresh token for extended access to resources. |
| p | Yes | The user flow that was used to acquire the original refresh token. You can't use a different user flow in this request. Add this parameter to the query string, not to the POST body. |
236
235
| client_id | Yes | The application ID that the [Azure portal](https://portal.azure.com/) assigned to your application. |
236
+
| client_secret | Yes | The application secret that was generated in the [Azure portal](https://portal.azure.com/). This application secret is an important security artifact. You should store it securely on your server. Change this client secret on a periodic basis. |
237
237
| grant_type | Yes | The type of grant, which must be a refresh token for this part of the authorization code flow. |
238
-
| scope | No | A space-separated list of scopes. The `openid` scope indicates a permission to sign in the user and get data about the user in the form of ID tokens. It can be used to send tokens to your application's own back-end web API, which is represented by the same application ID as the client. The `offline_access` scope indicates that your application needs a refresh token for extended access to resources. |
239
-
| redirect_uri | No | The `redirect_uri` parameter of the application where you received the authorization code. |
240
238
| refresh_token | Yes | The original refresh token that was acquired in the second part of the flow. The `offline_access` scope must be used in both the authorization and token requests in order to receive a refresh token. |
241
-
| client_secret | Yes | The application secret that was generated in the [Azure portal](https://portal.azure.com/). This application secret is an important security artifact. You should store it securely on your server. Change this client secret on a periodic basis. |
239
+
| p | Yes | The user flow that was used to acquire the original refresh token. You can't use a different user flow in this request. Add this parameter to the query string, not to the POST body. |
240
+
| redirect_uri | No | The `redirect_uri` parameter of the application where you received the authorization code. |
241
+
| scope | No | A space-separated list of scopes. The `openid` scope indicates a permission to sign in the user and get data about the user in the form of ID tokens. It can be used to send tokens to your application's own back-end web API, which is represented by the same application ID as the client. The `offline_access` scope indicates that your application needs a refresh token for extended access to resources. |
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/block-legacy-authentication.md
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -51,7 +51,7 @@ Before you can block legacy authentication in your directory, you need to first
51
51
52
52
1. Navigate to the **Azure portal** > **Azure Active Directory** > **Sign-ins**.
53
53
1. Add the Client App column if it is not shown by clicking on **Columns** > **Client App**.
54
-
1.Filter by **Client App** > **Other Clients** and click **Apply**.
54
+
1.**Add filters** > **Client App** > select all of the options for **Other clients** and click **Apply**.
55
55
56
56
Filtering will only show you sign-in attempts that were made by legacy authentication protocols. Clicking on each individual sign-in attempt will show you additional details. The **Client App** field under the **Basic Info** tab will indicate which legacy authentication protocol was used.
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/howto-baseline-protect-legacy-auth.md
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -34,7 +34,7 @@ Before you can block legacy authentication in your directory, you need to first
34
34
35
35
1. Navigate to the **Azure portal** > **Azure Active Directory** > **Sign-ins**.
36
36
1. Add the Client App column if it is not shown by clicking on **Columns** > **Client App**.
37
-
1.Filter by **Client App** > **Other Clients** and click **Apply**.
37
+
1.**Add filters** > **Client App** > select all of the options for **Other clients** and click **Apply**.
38
38
39
39
Filtering will only show you sign-in attempts that were made by legacy authentication protocols. Clicking on each individual sign-in attempt will show you additional details. The **Client App** field under the **Basic Info** tab will indicate which legacy authentication protocol was used.
Copy file name to clipboardExpand all lines: articles/active-directory/develop/reference-breaking-changes.md
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -45,7 +45,7 @@ August 2019: Enforce POST semantics according to URL parsing rules - duplicate p
45
45
46
46
**Effective date**: July 26, 2019
47
47
48
-
**Endpoints impacted**: Both [v1.0](https://docs.microsoft.com/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow) and [v2.0](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow)
48
+
**Endpoints impacted**: Both [v1.0](https://docs.microsoft.com/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow) and [v2.0](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow)
0 commit comments