Customizing AAD Authentication logic

Question

Is it possible to add/extend user authentication logic to AAD?

I want to be able to retrieve the user's password in an alternative way, then hand the password over to AAD to have it validated by AAD in the normal way.

From a high level, this is the authentication flow that I have in mind:

1. A user enters a system which requires authentication
2. The user is redirected to AAD for authentication
3. AAD redirects to my password retrieval engine
4. The user provides his password to the password retrieval engine
5. The password retrieval engine returns the password to AAD
6. The password retrieval engine redirects back to AAD
7. AAD performs password/user validation based on the user password from the password retrieval engine.

Any help on this is greatly appreciated.

Answer 1

You can use Username/Password authentication (grant_type=password) with AAD apps, although that flow is officially discouraged.

How that flow works in conjunction with the ADAL.NET library is explained in great detail here: https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/Acquiring-tokens-with-username-and-password

Be aware that your AAD app must be created as a "Native" app for this to work! "Web" apps (confidential clients) will raise the AADSTS7002 error when trying to authenticate against those with username and password!

The AAD v2.0 password flow is described here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

Answer 2

Yes, you can do this. You can issue authentication tokens and create a custom authentication endpoint by adding an AuthController. Before a user can call the endpoint, he needs to call the AuthController with valid credentials in order to get a token which will be used in subsequent API calls.

This is by far the best guide I have seen so far for this. This one is also handy.

You could also have a custom authentication on the backend and AAD authentication on the frontend.