Microsoft Azure Architect Design (AZ-301) Practice Exam

Which grant type is suitable for authentication in a headless device scenario?

• A. Resource owner password.
• B. Client credentials.
• C. Authorization code.
• D. Implicit.

The correct answer is: Authorization code.

In a headless device scenario, the most suitable grant type for authentication is the authorization code grant. This is because the authorization code flow is designed to securely authenticate users and obtain access tokens through a redirect mechanism, making it more appropriate for scenarios where user interaction is minimal or non-existent. In a headless device, you can leverage the authorization code grant by implementing device authorization, which allows the device to obtain user authorization without requiring the user to directly enter their credentials on the device itself. Instead, the device prompts the user to log in on another device (such as a mobile phone or computer) through a URL provided by the application. Once the user has authenticated and authorized access, the authorization code is sent back to the headless device to request an access token. This flow emphasizes security, as it avoids the necessity for transmitting user credentials directly. It separates the concerns of user authentication and client access, thereby enhancing the overall security posture of applications that employ headless devices. While the resource owner password grant allows for the exchange of username and password directly for tokens, this method is less secure and not recommended for headless scenarios. The client credentials grant is typically used for machine-to-machine authentication, where user intervention is not applicable, and the implicit grant is