// Authorization Code Flow for web applications using MSAL.NET confidential client to sign in users and access APIs on their behalf
Client Credentials Flow for service-to-service (daemon) authentication in MSAL.NET without user involvement
On-Behalf-Of (OBO) Flow for web APIs to call downstream APIs while preserving user identity in MSAL.NET
| name | msal-auth-code-flow |
| description | Authorization Code Flow for web applications using MSAL.NET confidential client to sign in users and access APIs on their behalf |
| tags | ["msal","auth-code","authorization-code","web-app","confidential-client","user-sign-in","redirect","consent"] |
Authorization Code Flow is used by web applications to authenticate users and obtain access tokens on their behalf.
Agent can show code snippets for each credential type:
Reference appropriate credential setup:
// In controller's callback method
[HttpGet("auth/callback")]
public async Task HandleCallback(string code, string state)
{
// See: with-certificate.cs for credential setup
var app = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithCertificate(cert)
.WithAuthority($"https://login.microsoftonline.com/{tenantId}/v2.0")
.WithRedirectUri("https://myapp.com/auth/callback")
.Build();
var result = await app.AcquireTokenByAuthorizationCode(
new[] { "scope-uri" },
code)
.ExecuteAsync();
// Result contains AccessToken, RefreshToken, ExpiresOn
}
Refer to Troubleshooting Guide
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id=...&redirect_uri=...Choose Auth Code Flow if:
Avoid if: