The OAuth Token Flow


  1. Using a client browser or app the user navigates to an application protected by Azure AD Authentication.
  2. The App redirects them to Azure AD to complete authentication.
  3. The user supplies their credential and/or multi-factor authentication.
  4. Azure AD issues tokens and they are stored within the client.
  5. The browser or application presents these tokens to access the application.


~ At some point the user’s device has been compromised.

  1. The attacker readers and copies the issued tokens.
  2. The attacker replays these tokens to access the resource as the user.

Note that Pass-the-cookie attacks can occur against any online authentication broker and are not limited to Azure AD.