Acquiring tokens with authorization codes

The Authorization Code flow is suitable when the application requires the user's interaction with the Azure AD STS during authentication. One such case is when users login to Web applications (web sites) using Open Id connect. The web application receives an authorization code which it can redeem to acquire a token for Web APIs.

Requests for the authorization codes are delegated to the developer. To understand how to request an authorization code, see Authorization code flow.

Upon receiving an authorization code, the acquire_token_with_authorization_code method can be called to request a token. To see how to integrate the Authentication code flow into a web application, see this Python web application sample

The acquire_token_with_authorization_code method can be used for both confidential and public clients.The sample mentioned above acquires a token for a confidential client. For a public client, you would not need a client secret because client secrets cannot be reliably stored on devices. To mitigate the authorization code interception attack for public clients, we have also provided the support for using Proof Key for Code Exchange. It is optional to use this feature. PKCE basically encourages the app to use a random key called code_verifier and derive a transformed value of it called code_challenge. When requesting for an authorization code, the code_challenge and the code_challenge_method that was used to transform the code_verifier are sent to the authorization server. The authorization code obtained is then sent to the token endpoint along with the code_verifier which is used to verify the identity of the entity asking for the aceess token. Details on how to implement the transformation method for getting the code_challenge is described in this PKCE specification document. ADAL Python provides the support to pass the code_verifier in the token request if you have used PKCE for authorization code grant request.