For OIDC and OAuth, the platform for your application alters the basic requirements. If you are using OIDC/OAuth with delegated permissions, you *must* have a Redirect URI--this is the only way a user can get to the code your application identity is using. If you are using OIDC/OAuth with application permissions, the Redirect URI may not be necessary because no human needs to interact with your application identity.
For Web and single-page applications (SPA) you'll need:
- Redirect URI: Sometimes also called the Reply URI (as it serves the same purpose as the SAML property by that name). This is the URL for your application, i.e. where a user is redirected to when they have successfully gotten an Entra ID token. You supply this value on the Entra ID service principal.
For iOS/MacOS, you will need:
- Bundle ID: Your app's Bundle ID can be found in XCode in the Info.plist or `Build Settings`.
For Android, you will need:
- Package Name: Your app's Package Name can be found in the Android Manifest.
- Signature Hash: The Signature Hash can be generated via command line.
For mobile and native clients, you will need:
- Redirect URI: The redirect URI needs to match one of the following options:
In all cases, the Entra ID service principal will need:
- What type of tokens can be issued:
- Access tokens (needed for OAuth)
- ID tokens (needed for OIDC)
- Supported account types:
- Single tenant (UW Entra ID users only)
- Multitenant (any Entra ID user)
- Allow public client flows: This is needed for most mobile and native clients scenarios and may be needed in other scenarios.
In all cases, the software configuration will need:
- Application identifier (AppId): This is a globally unique identifier, provided by Entra ID on the service principal object that is created.
- Token endpoints: Configured to use these 2 endpoints with the appropriate value of {tenant}:
- Response_type: Must include "id_token" for OpenID Connect sign-in. It might also include other response_type values, such as code.
- Scope: At a minimum, you'll need to include "openid". If additional OAuth scopes are needed, they will also need to be listed.
- Nonce: The OpenID/OAuth software usually deals with this, but details included here to be complete. The value typically is a randomized, unique string that can be used to identify the origin of the request & mitigate token replay attacks.
See https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#send-the-sign-in-request for more details on what the OIDC software must send.
Note: OAuth2 supports a variety of access flows. Additional information may be required or recommended for those flows.