It is a protocol that allows a user to grant a third-party website or application access to the user's protected resources

Workflow explanation

Portal Azure Example

I used the portal azure as an example: https://portal.azure.com/#home. This website uses the Microsoft Azure AD to authenticate users.

When I called this URL before to be authenticated, the Microsoft website verify that I’m not authenticated and redirected me to login authentification.

Note: We can see that URL is not the same as the beginning.

https://login.microsoftonline.com/common/reprocess?prompt=select_account&sosid=&ctx=rQIIAY2TTYjjZBjHm-lsnRkdHEZZPA4yiApJ8yZp0g4sOtOkk6Rt0k7TThMPIR9vmqTNR5O3X3FPIiiLh70Jogc9ztGTDAhe3dNeRPQoHsST7EEEL3YWvO_lgQf-PM_h__sd7LEEAARJkO-WKYI8O3UYxmbIOo3Ttk3iTMMBuM1wLt7gGFijHdv1aEeu1EjA0GR2fHD05efGz-88eq_z2fzHHfDow99vsLd8hNL8rFpNkwxZM8IqFhkknCSq5sEkDuJqELtwXf0Ow55i2B8YdrOTszTHcbUayQLQ4FiOqVOEovXp7rVeM7Q-UjQ5MgKSNLTWtHMtbVRtilRNDvXrfqEXd7khULRWYPAXkcILSI8E0N1s8_zFrHMtFCo_Rd1iWCiX0srQ_NDgderXnVfV8wXyqbuRZEEBn-3se0kWmWmSoy_K35fVFMaS20ziGDqIuIvBGAWOhYIk7mVJCjMUwPzBMotZXOhSVHsqdW3A-CscTU2GKkJeMYfBoMB7SNJdJ6hdj_WNCxTR0deyoAishPf1YghDUAcoAnyv2TLbWXcoDFu40lqOxqHgT_T1Zd0uXB4s3bnHLSSP4sVuri6uREnjIZms1_2ZkHM4O-gFysJeolZHbsytkBJCRA4Fw15aeRT7Ypuf-954srGXApBpyyzIfmcgqZcTsYNCekLKKuSaSDQlF4-u2m1xaYEBlTnctBMKHhNIZjqxx55uSsxlKm_GTeky7mn5wvPEuuyusmVTDgzNbXQZcDFwZMDm58tEmTtmeziuu01aobp1by2Alh-Gtfo6bMatdccy2WHThYo27beQr_j5aDQCNlmI4hq1Bg27OU1VIcbVqYx3yQT3NCVuWoOBOQNX82xgKZI485DUWzsXcJWlts_qo2lRTIdXLL26KZ_-j2FkxdYERtvythBuSVxt-UtWORFDVP22fJhkEysOiue15rflU8tiajTlUjjkHBtnahSJ1ynXwwHgAFN3GcBw7JNy50WuVxc5zMwg2qKSJ_HzDydbbuLAPYGRFcxO0izxghn8rfxmFDg-nM3uPIEzP3FhMguWMMis95FDTBzCsZ7uYn_u3t-rHL38Rumk9PbrZPlsb-_gqHS3_bOLfXNvKyN4eHtffZacf43__fCTj_8tPblXRXLPkC7SDU9G86uJO-qI3Ug8HxmpwFl91V-tOiHZM_JisGAeUGfgcQV7XKk8qexLvKkIGsNRf1V2Pn0Ju91_Qa0_euVwr3S8v__Ba8dfzX_6RfzhsPQf0

When you click on the username or when you enter your username, the URL has different information.

https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?redirect_uri=https%3A%2F%2Fportal.azure.com%2Fsignin%2Findex%2F&response_type=code id_token&scope=https%3A%2F%2Fmanagement.core.windows.net%2F%2Fuser_impersonation openid email profile&state=OpenIdConnect.AuthenticationProperties%3DI_CoF1AUDjmW_xV5NtzktkjAoSUYh1ZBypkmoJy2YfMaSLWf_Za_-elpD8e82EbHFI0N0g9KXtSmOcv5MXUGfAsFkNYxYzlcuwz5NgvVtJjbFORYU4d_uCr1-tPcHYwyHkiUAm6x0xX5vRiC1p-LmlCJlnLERamOVegO_Tq2oVJHDZgHVFxsQuQAxmcJquM39LRaj_frzEX7sgklefEvMmwbW48dz_f1nUCk3FydwT5dcSVa2LbaZ_zYHuu82Qt4zHps2jaHQVq2LwBtUCC7jyZFx5eTLsaHc66E96NkOpt8ePUO1eEtIpuXkgdxnroTvAIvBgRoXdJDhj1qm94f_YJv9Z-tcA6K6MSm9ObjgmRtUdIhMTrIW7pDOv-G1sj2VuJN9dqB-_k8OB7h5VHsiw&response_mode=form_post&nonce=637775515271969471.ZDMzMDlkYTUtYjUyMi00MjFlLTgzMDAtYzlhOTllMmZlNzZiYzYzNTU2ODktOThjOS00NWViLTlkM2YtNDI3ZDdjNzdmYzI5&client_id=c44b4083-3bb0-49c1-b47d-974e53cbdf3c&site_id=501430&client-request-id=c02ac47e-da47-4fe6-a851-361007e6daf2&x-client-SKU=ID_NET472&x-client-ver=6.11.0.0

In this URL, we can see some pieces of information like redirect_uri, response_type, scope, etc.

That’s means, once the authentication is done and everything is verified, the redirection will be done and you will be authenticated in the Azure Portal.

Website Example

The URL used for this example is https://tcogo-bgotc.azurewebsites.net/#/home. This application has an integration with Azure AD.

Note: You can find more details about this application here.

When you click on Sign In, you will be redirected to Microsoft’s Login page.

In this redirection, we found important information like the tenant id 2008ffa9-c9b2-4d97-9ad9-4ace25386be7 and the client ID from Azure.

https://login.microsoftonline.com/2008ffa9-c9b2-4d97-9ad9-4ace25386be7/oauth2/v2.0/authorize?scope=openid+email+profile+offline_access&state=5UpmGv3ZHt8Yiy3MsT2hl4Uhvz9WNWs6CrsK1t6P2vY.Ul1UyLznLhM.client-tc&response_type=code&client_id=a08dba0f-dd6e-4241-ba5e-1937c65ee90c&redirect_uri=https%3A%2F%2Fauth-tcogo-bgotc.azurewebsites.net%2Fauth%2Frealms%2FTC%2Fbroker%2Ftc%2Fendpoint&nonce=adUDmACq7pX6ZvQgY0xdhA

In this case, you need to configure everything in Azure Portal. You need to give access to your application to use and integrate with Azure AD.

When you click on the username or when you enter your username, the URL has different information.

https://login.microsoftonline.com/2008ffa9-c9b2-4d97-9ad9-4ace25386be7/reprocess?ctx=rQIIAa2Qv4vTYByH815653kolhvEseBNnvn1Js2PgkiuBQXb5pSGXm9Q3rz5pomX5M0lb6vt4qqbuIiObp6DIAjioq6Hw41yrg4iKIKLo9W_weWZPjx8eC6IWFZbG0S1w4CokRSGJkgGNjQpIE2QNEe3qNkEcFRarq_V8fd7zx-JXzqvH9c_bn04fnGAujHnRdVSFDLhscQpGzMpGDNOZTKflHAHgirhUMk58H8TpQSSZpUyaCtByfagVDhVIA8LluT8DUJHCH1F6GDpLAn9Tua2961ix9ydXh-P1Lth7B4vnfHchQb_BSuTOTwV3aZfZFem-u5Vbo-Smd6rBjhODT-ezp1hf1iZ7bK6pnFzG09Hsp9q_qw7z7txT6ZpAjlfnH4lbmBVtaOIOBJ1AiwZoWNJDgkdySAUcFO3zQCsQ_E8KyBPwgZkJEkbRcmiJIUGi6I0yeEWoRSq6pOIjmroW-2UKrZWV9fqwjmhIfyuoWfLi4DrPz6_27l80X1yk70cPfglHC4rBjUyrO8pE29AJn2wPer1g3JzZmx5PXN8I-8MLW_z9v62W_QuOS3t4Qr6uYLunxDenvyv7d-fFv4A0&sessionid=aa4532d2-e7cb-4520-82df-117148d41476

At the moment the authentication is done and everything is verified, the redirection will be done and you will be authenticated in the application.

API Example

The same workflow will happen when you have this Azure AD integration with your API.

This is an example and we can find the code here

Configuration with Azure

For this API, you can find the documentation on how to do the configuration with Azure here