This means that applications can now acquire and present an access token that includes the User’s Identity along with the Application identity when making calls to the Graph API. This enables the Graph API to make an access check, and only permit requests for which the combination of Application + User are authorized. Previously, only the OAuth Client Credentials Grant flow was available for accessing the Graph API, which limited authentication and authorization to the context of the Application, with no User context. If the application needed to make an authorization decision based upon the Users’ Role membership, then the developers had the extra work to incorporate that logic into their application.
To demonstrate this new capability, we leverage the developer preview components for setting up the application permissions and have provided a new PHP sample application that calls the Graph API and authenticates using the Authorization Code Grant flow. We decided upon PHP because it can be implemented on many platforms and we understand that many of your need to be able to delivery applications on non-Microsoft platforms. We also show the HTTP requests and responses for executing the authentication flow, which helps the developer to understand the flow, and select their own implementation.