Azure App Service EasyAuth and Azure Active Directory Flows
Published Jan 09 2020 12:19 PM 10.9K Views

The built in authentication feature of App Service aka EasyAuth, implements the following Azure Active Directory Flows :

  • Implicit Flow
  • Hybrid Flow

The EasyAuth module of App Service uses Implicit Flow when Client Secret isn't set at the App Service Level. It is to be noted that the App Service returns only id token, when it uses this type of flow.




In order to get an access_token, the client secret must be set and the EasyAuth module now uses “Hybrid Flow”.

When EasyAuth is setup using Express method, the client secret is created automatically.

The following steps can be performed to generate a new client secret:

  1. Navigate to Azure Active Directory
  2. Select App Registrations Blade and click on your app registration.
  3. Select 'Certificates & Secrets' Blade, click on 'New Client Secret'.
    Enter a name for the client secret and Click on Add button.
    The name for the client secret or Key is a place holder to identify the client secrets.
  1. Once the client secret is generated, copy the value of the key.
    (Please note that the value of the key will be displayed once i.e. the value will become hidden once the page is refreshed )
  1. Paste the value of this key in the client secret section of the App Service .



Once we save the settings and browse to the .auth/me endpoint of the App Service,  we get the tokens


(Note : Changes will be reflected only if the user logs in to App Service again. We can use the /.auth/login/aad endpoint to reauthenticate the user )

Notice that the access token is not in the form of a JWT token. This is because the Hybrid flow configuration did not include a resource. 

The value of the access token is actually an "authentication code" and when the resource is set, the EasyAuth module exchanges this “authentication code” at the /token endpoint of the Azure Active Directory, to get an access token.


In order to directly get an access token, we need to set the resource using the Azure Resource Explorer.

  1. Navigate to the Resource Explorer from the App Service.
  2. Navigate config > authsettings and click on Edit.
  1. Update the additionalLoginParams to ["resource=<Name/ID of the resource>"] and click on PUT

Upon browsing to the App Service, after making the above change, we see that the value for the access token is in the form of a JWT token.


We could use to decode the access token and view the claims.




  1. I set up EasyAuth using 'Express' method. The Azure AD app registration got created automatically. 
    When I try to access the resource using the access token , I get HTTP 403 error. 
    Also, from /.auth/me endpoint, I see that the value of  access token is not in the form of a JWT token.
    When EasyAuth is set up using Express method, the default flow used is ‘Hybrid' Flow and the client secret is created automatically.
    Since the Hybrid flow configuration did not include a resource, post authentication, an authentication code is returned. This needs to be exchanged at /token endpoint of Azure Active Directory to get an access token.
    The EasyAuth module does this automatically when the set the resource from Azure Resource Explorer and provides an Access token directly.
  1. Can ID tokens be used as Bearer tokens to login to the App Service?
    ID tokens contain information which tells whether a user is authenticated. Hence it can be used as Bearer tokens to login to the App Service.
Version history
Last update:
‎Aug 24 2020 12:39 PM
Updated by: