How to authenticate user with Azure Active Directory using OAuth 2.0?

c# authentication azure oauth-2.0 azure-active-directory
48,526

Solution 1

You should avoid handling the users credentials. There are serious security implications when collecting a users credentials that are mitigated by using OAuth 2.0 or OpenID Connect to get a token without directly handling the credentials. Also, if you have your own credential collection UI then you may find that sign in fails in the future if multi-factor authentication is turned on. In that case, more information may be necessary to authenticate the user than you are collecting, a one time password for instance. If you allow Azure AD to present the authentication experience via OAuth 2.0 or OpenID Connect, then you are insulated from the specific authentication method being employed. Collecting the users Azure AD credentials is a bad practice to be avoided if at all possible.

I don't have enough detail on the exact scenario to be confident that the following sample applies, but it will at least provide a good starting point. This sample shows how to create a native app that calls a REST API that can then call an Azure resource in the safest way possible.

https://github.com/AzureADSamples/WebAPI-OnBehalfOf-DotNet

You can find lots of other samples here that can be used to construct a solution for your particular scenario.

https://github.com/AzureADSamples

If you provide some more detail I can give more specific guidance.

Solution 2

See: http://www.cloudidentity.com/blog/2014/07/08/using-adal-net-to-authenticate-users-via-usernamepassword/

Summary: Create a UserCredential

UserCredential uc = new UserCredential(user, password);

Call one of the AcquireToken() functions with the UserCredential

public AuthenticationResult AcquireToken(string resource, string clientId, UserCredential userCredential);
public Task<AuthenticationResult> AcquireTokenAsync(string resource, string clientId, UserCredential userCredential);
Share:
48,526
COBOL
Author by

COBOL

Updated on February 17, 2020

Comments

  • COBOL
    COBOL about 4 years

    I have a REST API written in C# and I need to authenticate with an existing Azure AD service. I currently have the username and password of the user wishing to authenticate. I need to authenticate with Azure AD and receive an access token from the server.

    Can someone please point me in the direction of some articles/tutorials that explain how to do this?

  • COBOL
    COBOL about 9 years
    Hi, I have an Android app, that sends through a username and password to my REST API. The REST API then needs to check if this username and password combination is correct using an existing Azure AD server. If it is correct, the REST API will handle the generation of an access token that the app will use to communicate with my REST API.
  • Rich Randall
    Rich Randall about 9 years
    Please avoid transporting the username and password. Everywhere you handle the username and password is another potential place for the users account to be compromised. The tokens returned from AAD are constrained to a particular scope. If one of these tokens is compromised the severity of the compromise is considerably less than a compromised username password. Why are you collecting the username password directly? Can this be changed?
  • sandiejat
    sandiejat over 7 years
    @ivan.petrovic Resource: The App ID URI of the web API (secured resource). To find the App ID URI of the web API, in the Azure Management Portal, click Active Directory, click the directory, click the application and then click Configure. azure.microsoft.com/en-us/documentation/articles/…
  • Michael Freidgeim
    Michael Freidgeim about 7 years
    From the same article: You can only use those flows from a native client. A confidential client, such as a web site, cannot use direct user credentials.
  • mellis481
    mellis481 almost 7 years
    There are compliance-related situations where apps need to validate credentials in-app for a request. There seems no way around this without acquiring creds from the client app and then validating with Azure on the server (C# in client app).
  • Ian Robertson
    Ian Robertson almost 7 years
    If you look at the accepted answer on this question: stackoverflow.com/questions/40498384/… you see how you can construct a RAW POST request to use user credentials to get a token. This works anywhere you can create a HttpClient object to make the request...
  • Rich Randall
    Rich Randall almost 7 years
    I'd like to better understand your compliance situation. Getting a token from AAD implies that the credentials were valid.
  • RyanOC
    RyanOC about 6 years
    Great points on not transporting user credentials within your app. Thanks @RichRandall
  • David
    David over 4 years
    Not certain why this is getting up voted. Answering a question by giving your opinion of the question isn't an answer.
  • nmishr
    nmishr about 3 years
    Unfortunately, this answer allows the application to have access to the user's username and password .. a better way would be to let the credential provider validate and return a token which the application can ask the provider to validate. In that way the user's information stays between the provider and the user.
  • dteviot
    dteviot about 3 years
    @nmishr in the original question the application has the username and password.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I get Azure AD OAuth2 Access Token and Refresh token for Daemon or Server to C# ASP.NET Web API
Using GraphServiceClient to get refresh tokens when authenticating using UserPasswordCredential in AuthenticationContext
How to validate Azure AD security token?
AuthenticationBuilder does not contain a definition for AddAzureAd
How to use nativeclient redirect URI when authenticating with Microsoft Azure?
Check if username exist in Microsoft Azure Active Directory
Unable to get bearer token from Azure AD to use with API App
AADSTS50020: We are unable to issue tokens from this api version for a Microsoft account
How to get Azure AD user's last login time?
The MetadataAddress or Authority must use HTTPS unless disabled for development by setting RequireHttpsMetadata=false