A development team builds a background service that needs to read all users' calendars via Microsoft Graph without a signed-in user. The service will run on a server with a client secret. Which OAuth 2.0 grant flow should the application use?
Trap 1: Authorization code grant
This flow requires a signed-in user to delegate consent, not suitable for a background service.
Trap 2: Device authorization grant
This flow is designed for devices with no browser, but still requires a user to sign in on another device.
Trap 3: Implicit grant
The implicit grant is for single-page applications (SPAs) and cannot use secrets securely in a background service.
- A
Authorization code grant
Why wrong: This flow requires a signed-in user to delegate consent, not suitable for a background service.
- B
Device authorization grant
Why wrong: This flow is designed for devices with no browser, but still requires a user to sign in on another device.
- C
Client credentials grant
This flow authenticates the application itself and is ideal for daemon services without user interaction.
- D
Implicit grant
Why wrong: The implicit grant is for single-page applications (SPAs) and cannot use secrets securely in a background service.