https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
Federated identity
Configuration using a configuration file or Azure resource manager, no code changes required.
Authentication flow
The authentication flow is the same for all providers, but differs depending on whether you want to sign in with the provider’s SDK:
- Without provider SDK: The application delegates federated sign-in to App Service. This is typically the case with browser apps, which can present the provider’s login page to the user. The server code manages the sign-in process, so it is also called server-directed flow or server flow. This case applies to browser apps. It also applies to native apps that sign users in using the Mobile Apps client SDK because the SDK opens a web view to sign users in with App Service authentication.
- With provider SDK: The application signs users in to the provider manually and then submits the authentication token to App Service for validation. This is typically the case with browser-less apps, which can’t present the provider’s sign-in page to the user. The application code manages the sign-in process, so it is also called client-directed flow or client flow. This case applies to REST APIs, Azure Functions, and JavaScript browser clients, as well as browser apps that need more flexibility in the sign-in process. It also applies to native mobile apps that sign users in using the provider’s SDK.
For unauthenticated requests custom code needs to be added using SDK
Header token X-ZUMO-AUTH