cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
81
Views
0
Helpful
0
Replies
Stephen.rich
Beginner

CSCvv50421 - Hybrid Integration with CUC SIB Ouath2.0 ROPC usage

For what it's worth, this is a very, very, very longstanding limitation of the ROPC flow with the Microsoft Identity Platform. ROPC is an incredibly poor choice for this purpose. A much better approach would be the client credentials grant which can still be used with the existing codebase for interacting with the Exchange Online API.

The ROPC flow defeats one of primary purposes of OAuth2.0 which is authorizing an app to access your data without giving it the username and password. You're basically doing basic auth to get an OAuth2.0 token.

 

Solid references on why you shouldn't use ROPC

https://auth0.com/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

https://www.scottbrady91.com/oauth/why-the-resource-owner-password-credentials-grant-type-is-not-authentication-nor-suitable-for-modern-applications

 

 

0 REPLIES 0