What is the Resource parameter in Windows Azure AD tenant application oAuth 2.0 specification
I'm trying to invoke an authentication process with a windows Azure AD tenant application using oAuth 2.0 by using curl. But I couldn't figure out what is the parameter "resource' in below sample code:
curl -X POST https://login.windows.net/<<YOUR--AD-TENANT-ID>>/oauth2/token \
-F redirect_uri=http://google.com \
-F grant_type=authorization_code \
**-F resource=https://management.core.windows.net/ \**
-F client_id=87a544fd-... \
-F code=AwABAAAAvPM1...8sSAA
Answer
Resource parameter depicts the identifier of the WebAPI that your client wants to access on behalf of the user. Most flows in OAuth involve 4 parties, the resource owner (aka user), the client (aka app), the authority (aka identity provider) and the resource (aka webapi). The audience of the access token that the authority generates is the resource identifier.
In the case of Azure AD you can either use the Client ID or the App ID URI of the resource WebAPI (Find them in the configure tab of the Azure AD application in the Azure Management portal). For instance, if I want my client to get a token to access the Azure AD Graph API on behalf of the user, I would request for a token for resource "https://graph.windows.net". In your example, the resource parameter value identifies the Azure Service Management APIs.
Here are some code samples of Client Apps using Azure AD SDKs to request for tokens to WebAPIs - different usages of the resource parameter:
- Mobile apps calling WebAPI: http://msdn.microsoft.com/en-us/library/azure/dn646737.aspx#BKMK_Native
- Web apps calling WebAPI: http://msdn.microsoft.com/en-us/library/azure/dn646737.aspx#BKMK_AppToAPI
- Clients calling Graph API: http://msdn.microsoft.com/en-us/library/azure/dn646737.aspx#BKMK_Graph
Hope this helps.