Authenticating an Application using Azure Active Directory

In my previous post I discussed in brief the use of the OAuth Authorization Code workflow and the corresponding endpoints. As a brief recap, the workflow I’ll going to walk through is the following:

– User attempts to sign into an application

– Application launches the Authorize URL in an external browser

– User is directed to a Microsoft URL where they are prompted to sign in

– User signs in

– After sign in, the User is redirected back to the application via a custom protocol

– Application receives the token containing information about the user that has signed in

In this walk through I’ll use a UWP application but the workflow works well for any platform that supports custom protocol. Before I get started I’m going to need a few things:

Authorize URL – https://login.microsoftonline.com/{tenantId}/oauth2/authorize
Tenant Id – nicksdemodir.onmicrosoft.com (this can also be specified as a guid)

Next, I’m going to register an application with Azure Active Directory (Azure AD). You can think of this registration as identifying the application that is going to connect to Azure AD. In the Azure portal, open the Active Directory management pane and select App registrations

image

At the top of the app registrations pane, click the Add button. In the Create form I’ll give the application registration a name (the name is used both in the Azure portal as well as on the sign in page when a user is signing into the application). The application type needs to be set to Native – this allows the application to exchange an Authorization Code for an Access Token without having to provide a client secret.

image

The final property is the Redirect URI, which is the URL that the browser will be directed to after the user has signed in. In this case I’m specifying a custom protocol which will be used to redirect back to the application. Once the application registration is complete I can copy the Application Id from the application pane.

image

I have all the information I need in order to authenticate a user; all I need to do is form the authorization url that will be launched in the external browser:

private async void AuthenticateClick(object sender, RoutedEventArgs e)
{
    var  authorizationUrl=
        “
https://login.microsoftonline.com/nicksdemodir.onmicrosoft.com/oauth2/authorize?” +
        “client_id=40dba662-4c53-4154-a5cf-976473306060&” +
        “response_type=id_token&” +
        “redirect_uri=sample%3A%2F%2Fcallback&” +
        “nonce=1234“;
    await Launcher.LaunchUriAsync(new Uri(authorizationUrl));
}

There are various components to the authorization url:

nicksdemodir.onmicrosoft.com – The tenant where the application is registered. Alternatively use “common” for multi-tenanted applications.

0dba662-4c53-4154-a5cf-976473306060 – This is the Application ID (also referred to as the client ID) of the application registration in Azure AD

id_token – This is the requested response, which in this case is a JWT token that represents information about the user. When using OAuth to authorize access to a resource, either specify “code” or “code id_token”.

sample://callback – This is the url that the browser will be redirected to after the sign in process has been completed.

1234 – This is a application specific nonce which can be used to ensure the returned token matches the authentication request from the application.

In order for the user to be redirected back to the UWP application the “sample” custom protocol needs to be registered to the application. For a UWP application this is done by adding the following XML to the package.appxmanifest, immediately after the closing VisualElements tag.

<Extensions>
  <uap:Extension Category=”windows.protocol”>
    <uap:Protocol Name=”sample”>
      <uap:Logo>assetsStoreLogo.png</uap:Logo>
      <uap:DisplayName>Sample</uap:DisplayName>
    </uap:Protocol>
  </uap:Extension>
</Extensions>

In the App.xaml.cs file for the application, the OnActivated method needs to be overridden. This method will be invoked when the user is switched back to the application after signing in. The args property can be interrogated in order to retrieve the id_token that has information about the authenticated user.

image

The site http://jwt.io can be used to pull apart the id_token which shows the name of the user that’s signed in. It also shows the nonce which the application can match with the nonce specified in the authentication request.

image

In this post I’ve shown how you can use Azure Active Directory to authenticate a user. Note however, this is not enough to authorize a user for access to any resources. In the next post I’ll walk through using OAuth to authorize user access to a resource.

Leave a comment