Exam AZ-204 topic 11 question 2 discussion

https://www.examtopics.com/discussions/microsoft/view/25371-exam-az-204-topic-8-question-2-discussion/ oauth2AllowImplicitFlow = true, oauth2AllowIdTokenImplicitFlow = true

Box 1: "oauth2AllowIdTokenImplicitFlow":true This value indicates whether the web app can request ID tokens of the implicit OAuth 2.0 flow. The default setting is "false". Box 2: "oauth2AllowImplicitFlow":true This value indicates whether the web app can request OAuth 2.0 implicit flow access tokens. The default setting is "false". Reference: https://docs.microsoft.com/de-de/azure/active-directory/develop/reference-app-manifest https://docs.microsoft.com/de-de/azure/active-directory/develop/reference-app-manifest#oauth2allowidtokenimplicitflow-attribute https://docs.microsoft.com/de-de/azure/active-directory/develop/reference-app-manifest#oauth2allowimplicitflow-attribute

Not sure if this question is relevant anymore or has been updated in exams. Today even for SPAs usage of implicit flow is discouraged because of security concerns. Replaced by authorization code flow + PKCE.

We need to enable Implicit flow because it is a public client app and is not safe to store secrets on it. and we need to allow idTokenImplicitFlow because we need user role information to only allow users of certain role.

Agree with Implicit Flow we are allowing implicit flow on the analysis service and we are alowing the issuance of user information to the client app. is it a good practice, no. but the alternatives don't resolve the problem

People, I don't understand how everyone here can be wrong. Implicit flow is not for SPA. Implicit flow is a less secure oauth2 for SPA apps which have no custom server-side! (i.e. they have no server, or only use SaaS like Google APIs) In the study it is clearly stated that we have our own backend here: The "ContentAnalysisService is deployed with Azure Container Instances" and here "website portion of the ContentAnalysisService" So why would we want to use the less secure implicit flow??? So I'd go with the only options which are not about implicit flow: oauth2Permissions knownClientApplications Anyway, see the docs: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-implicit-grant-flow --> We strongly recommend that all new applications use the authorization code flow that now supports single-page apps in place of the implicit flow But yeah, I'm open for discussion with anyone who can counter my arguments.

"oauth2AllowIdTokenImplicitFlow": true. This option is crucial for Single Page Applications (SPAs). The OAuth 2.0 implicit flow allows SPAs to directly receive an ID token (which represents the authenticated user) from the Azure Active Directory (Azure AD) authorization endpoint. This flow is suitable for applications that cannot securely store a client secret due to their nature (running in a web browser), enabling them to perform authentication with Azure AD and receive tokens needed for calling backend services. oauth2AllowImplicitFlow": true. This option enables the implicit grant flow, which is an OAuth 2.0 flow optimized for clients that run in a browser. It's particularly relevant for SPAs because it allows them to obtain access tokens directly from the Azure AD authorization endpoint without the need for a backend component to perform an authorization code exchange. This flow is essential for apps that need to authenticate users and then call web APIs on behalf of those users without handling client secrets.

Since it is a browser app (React), Implicit Grant Flow, should be enabled: oauth2AllowImplicitFlow = true, oauth2AllowIdTokenImplicitFlow = true "To review content, the user must authenticate to the website portion of the ContentAnalysisService using their Azure AD credentials. The website is built using React and all pages and API endpoints require authentication. In order to review content a user must be part of a ContentReviewer role. All completed reviews must include the "reviewer's email address for auditing purposes. This is a web app so we need oauth2AllowImplicitFlow. We need to have information about the user (reviewer email), so we need to have Id Token thus oauth2AllowIdTokenImplicitFlow must be set to true

I think the answer should be Oauth2permission login for first box as API to be exposed and email credentials to be saved for auditing purpose.

"allowPublicClient": true > Not required as infered from replyUrlsWithType "oauth2Permissions": ["login"] > only for resource server exposing an API "oauth2AllowUrlPathMatching: true > Couldn't find in the docu "oauth2AllowIdTokenImplicitFlow": true > Correct one to choose! "oauth2AllowImplicitFlow": true > Correct one to choose! "oauth2RequiredPostResponse": true > Not relevant "preAuthorizedApplications": ["SPA"] > Not relevant "knownClientApplications": ["ContentAnalysisService"] > Not relevant https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest?WT.mc_id=Portal-Microsoft_AAD_RegisteredApps#manifest-reference

Zidimirite is correct: oauth2AllowImplicitFlow & oauth2AllowIdTokenImplicitFlow See here: https://docs.microsoft.com/de-de/azure/active-directory/develop/reference-app-manifest

"oauth2AllowIdTokenImplicitFlow":true "oauth2AllowImplicitFlow":true

I think the first answer should be allowPublicClient: true because this is SPA application and be default is is set to false. implicit flow does not make sense with confidential clients, it would be client credentials flow.