This example application launches a local web server and requests an access token and a refresh token from Microsoft Entra ID (formerly known as Azure Active Directory). The tokens then are shown in a web page together with a button which allows to request a new access token.

Full example code is included.

Location: https://github.com/michaelJustin/daraja-framework/tree/master/demo/16_entra_refresh_token

Note: the example code contains the configuration for an existing Microsoft Entra App registration. You may configure it to use a different App registration, by modifying the constants in unit MainUnit.

Security considerations

  • The example code uses response_mode=form_post to receive the access token. Unlike with response_mode=fragment (or query), the browser does not receive the access_token parameter in the redirect request URI. Therefore, the access_token is not accessible within the browser’s memory. (“Implicit Flow with Form Post”)
  • The example code uses PKCE, which stands for “Proof of Key Code Exchange”, an extension of the OAuth 2.0 protocol that helps prevent code interception attacks.
dj

Daraja HTTP Server Framework is an open source library for Object Pascal, based on the stand-alone HTTP server component contained in Internet Direct (Indy).

Discover more from Habarisoft Blog

Subscribe to get the latest posts sent to your email.

Leave a Reply

Your email address will not be published. Required fields are marked *