Azure AD - custom validation in external api

Question

I have 3 applications, one is desktop application and this is my client, second is my Web Api to secure and the last one is api which checks if the user with password exists.

In my case I want to connect this flow with Azure AD.

I think this should work like this: 1.DesktopApplication sending request with clientid,clientsecret, username and password to AZURE 2.Azure sending request with username and password to my api where I can check this user exist if exist I will return "true"(or somthing like this) 3. If api return "true" Azure can return to DesktopApplication token 4. DoesktopApplication will send request ot secure Web Api with token 5.DesktopApplication recive content from secure Web Api

Api in 3 point is not same api in 5 point.

Is it posible to do this flow with Azure AD or not? And if not can I do something with my flow something to secure Web Api by Azure and still store users in my old db(oracle)?

Answer 1

It would be better to use OpenID Connect authentication flows to authenticate the user and acquire a token that way.

The approach you are suggesting has a few downsides:

1. You are storing a client secret in a desktop application, which can be easily extracted by anyone.
2. The authentication flow that allows you to do this will not work with users who have MFA enabled / are federated users (on-prem AD/MS account/Guest account) / have expired password.
3. It trains users to be phished as they really should only enter their password to the actual login page.

So it would be better to use a flow like this:

1. Your desktop application uses Azure AD Authentication Library (ADAL) or Microsoft Authentication Library (MSAL) to authenticate the user, requesting an access token for your API
2. Desktop app calls API, API validates token signature, issuer, validity time etc.

It will show the user a pop-up window where they can login, and as a result you'll get an Id token (which tells your desktop app who the user is) and an access token for the API.