Authenticating a user in Azure AD through a web api?

Question

I'm working on integrating Azure AD authentication with various apps on different platforms.

Is there a way to get an authentication token id from a user logging in through a web api like 'azureadlogin.com/login?user=ted&password=passwordhash'

There seems to be ways of doing it through node or javascript or C# apps but I'd really like to just have a simple web request way of doing it as there are many different apps on different platforms that need to make use of this feature.

Answer 1

You can use username/password authentication. But if your app has user interface, so it could popup the regular Azure AD login page, I would recommend not to use it. A major reason for using Azure AD (or other identity providers) is that the user doesn't want your app to know his password.

There's a sample which does what you want. The code in question is here.

The sample uses .NET and the ADAL.net library, but you can do similar stuff on other platforms.

Answer 2

No.

There is a way to authenticate with username + password by doing a POST request and using Resource Owner Password Credentials flow, but I don't recommend it.

ROPC will not work if:

1. User's password has expired
2. User is MS account/federated from on-prem AD
3. User has multi-factor authentication enabled

You have a wide selection of authentication flows which work in all these scenarios too, and don't involve the user giving their password to you.

For example:

1. Authorization code flow
2. Implicit grant flow
3. Device authentication flow