OAuth 2.0 + PKCE Explained — The Mental Model You Need Before Working With Microsoft Entra ID If you've configured app registrations in Microsoft Entra ID (formerly Azure AD) and felt lost in the redirect URIs, client secrets, and token endpoints — this video is for you. Entra ID is built entirely on OAuth 2.0 + PKCE, but Microsoft's docs go deep into configuration without explaining the underlying flow. Understanding the spec makes everything click. The video covers: - The full Authorization Code Flow — step by step with visuals - Why PKCE matters for public clients like SPAs and mobile apps (no client secret) - How code_verifier and code_challenge (SHA-256) work in the token exchange - How Bearer tokens / access tokens are issued and what your Azure-backed API validates - Confidential vs public clients — directly maps to Entra ID app registration settings Essential context before setting up MSAL.js, configuring API permissions, or debugging why your Entra ID token exchange is failing.…