docs
0
# Authorization Code Authentication
1
2
Authenticates using OAuth 2.0 authorization code flow, commonly used in web applications where users authorize the application to access Azure resources.
3
4
## Capabilities
5
6
### Authorization Code Credential
7
8
Exchanges an authorization code for access tokens using OAuth 2.0 authorization code flow.
9
10
```java { .api }
11
/**
12
* Authorization code credential for OAuth 2.0 authorization code flow
13
*/
14
class AuthorizationCodeCredential implements TokenCredential {
15
Mono<AccessToken> getToken(TokenRequestContext request);
16
// Note: Does not support synchronous getTokenSync method
17
}
18
19
class AuthorizationCodeCredentialBuilder extends AadCredentialBuilderBase<AuthorizationCodeCredentialBuilder> {
20
AuthorizationCodeCredentialBuilder authorizationCode(String authCode);
21
AuthorizationCodeCredentialBuilder redirectUrl(String redirectUrl);
22
AuthorizationCodeCredentialBuilder clientSecret(String clientSecret);
23
AuthorizationCodeCredential build();
24
}
25
```
26
27
**Usage Examples:**
28
29
```java
30
import com.azure.identity.AuthorizationCodeCredential;
31
import com.azure.identity.AuthorizationCodeCredentialBuilder;
32
33
// For confidential client applications (with client secret)
34
TokenCredential credential = new AuthorizationCodeCredentialBuilder()
35
.clientId("your-client-id")
36
.tenantId("your-tenant-id")
37
.authorizationCode("authorization-code-from-redirect")
38
.redirectUrl("https://yourapp.com/auth/callback")
39
.clientSecret("your-client-secret")
40
.build();
41
42
// For public client applications (without client secret)
43
TokenCredential publicCredential = new AuthorizationCodeCredentialBuilder()
44
.clientId("your-public-client-id")
45
.tenantId("your-tenant-id")
46
.authorizationCode("authorization-code-from-redirect")
47
.redirectUrl("https://yourapp.com/auth/callback")
48
.build();
49
50
// Use with Azure SDK clients
51
GraphServiceClient graphClient = GraphServiceClient.builder()
52
.authenticationProvider(new TokenCredentialAuthProvider(credential))
53
.buildClient();
54
```
55
56
**Authorization Flow Steps:**
57
58
1. **Authorization Request**: Direct user to authorization endpoint
59
```
60
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize
61
?client_id={client-id}
62
&response_type=code
63
&redirect_uri={redirect-uri}
64
&scope={scopes}
65
&state={state}
66
```
67
68
2. **Authorization Code Receipt**: Handle redirect with authorization code
69
```java
70
String authCode = request.getParameter("code");
71
```
72
73
3. **Token Exchange**: Use authorization code to create credential
74
```java
75
TokenCredential credential = new AuthorizationCodeCredentialBuilder()
76
.authorizationCode(authCode)
77
// ... other configuration
78
.build();
79
```
80
81
## Configuration Options
82
83
```java
84
// With additional tenant support
85
TokenCredential credential = new AuthorizationCodeCredentialBuilder()
86
.clientId("your-client-id")
87
.tenantId("your-tenant-id")
88
.authorizationCode("auth-code")
89
.redirectUrl("https://yourapp.com/callback")
90
.clientSecret("client-secret")
91
.additionallyAllowedTenants("tenant1", "tenant2")
92
.build();
93
```
94
95
## Security Considerations
96
97
- **Authorization codes are single-use**: Each code can only be exchanged once
98
- **Short-lived**: Authorization codes typically expire within 10 minutes
99
- **PKCE recommended**: Use Proof Key for Code Exchange for public clients
100
- **State parameter**: Always validate state parameter to prevent CSRF attacks
101
102
## Exception Handling
103
104
Throws `CredentialUnavailableException` when:
105
- Authorization code is invalid or expired
106
- Redirect URL doesn't match registered URL
107
- Client authentication fails
108
- Required parameters are missing