I'm having trouble understanding how to provide Authorization Access to my internal clients who are programmatically calling my REST API. The current implementation is pretty much just Basic Authentication where the client scripts enters their Service Account + Password which we then check against LDAP for authentication and then use AD global groups for authorization.
We are currently in the process of migrating our front end application to Azure AD utilizing Single Sign On. I was hoping to also use Azure AD to replace our current implementation of auth/authorization for the APIs but I can't wrap my head around how it would work.
Every implementation I've read so far for Azure AD OAuth2 basically is some variant of the user being redirected to a page to sign on. In my mind that wouldn't work for someone writing a python script to programmatically hit the APIs.
My understanding is that there exists a Resource Owner Password Flow which sounds closest to my usecase but apparently it's very much not recommended (and I'm pretty sure not even allowed in my company). I've been told to look into Authorization Code with PKCE but I can't wrap my head around how it would work in my usecase
I think what you're looking for is the client credentials flow which is pretty similar to ROPF meaning your clients will have a password (Client Secret) for authentication. https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow
The initial permission grant can be done in the Azure portal by an Admin once for you App Registration, afterwards the app can authenticate with ClientId & Client Secret and without further manual interaction required.