Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow public applications to acquire token via authorization code #863

Closed
cormacpayne opened this issue Feb 1, 2019 · 3 comments
Closed

Allow public applications to acquire token via authorization code #863

cormacpayne opened this issue Feb 1, 2019 · 3 comments
Milestone
3.0

Comments

@cormacpayne
Copy link

Is your feature request related to a problem? Please describe.

Currently, only the ConfidentialClientApplication supports acquiring tokens via authorization code, but this functionality should be able to extend to the PublicClientApplication (as demonstrated by the Python ADAL/MSAL libraries). This prevents our public application with no secret/certificate credential from authenticating using this method.

Describe the solution you'd like

Add the AcquireTokenByAuthorizationCodeAsync method to the IClientApplicationBase and implement a version of this authentication similar to the one found in ConfidentialClientApplication that doesn't use the ClientCredential parameter.

Describe alternatives you've considered

Other forms of acquiring a token using the PublicClientApplication currently work, but we are looking for "interactive ways" for users to authenticate in Azure PowerShell. Ideally we would share the same default login behavior as Azure CLI: using authorization code flow, open a window with the appropriate URL, have the user pick their account, authenticate, and move along. Talked to @henrik-me about having the code in device code flow added to the URL (e.g., https;//microsoft.com/devicelogin?code=ABCDEFGH) for a similar experience, which would work for us as well, but no timeline yet for this.

Additional context

N/A
@bgavrilMS
Copy link
Member

bgavrilMS commented Feb 2, 2019
edited by jmprieur
Loading

Hi @cormacpayne - we are looking into this we have to approaches:

  1. The strategy that you have described. The difficulty there is to provide a layer of security against man in the middle attacks. The OAuth spec provides a mechanism called (PKCE)[https://oauth.net/2/pkce/] - it's pretty simple. Looking into this...

  2. A second approach is to reuse the infrastructure of MSAL and "bring your own browser". MSAL uses PKCE already. @MarkZuber has an implementation exposing this already which we may refine a bit, but the jist of it is that you will need to implement a single method:

Uri GetAuthrorizationCodeUri(Uri interactiveAuthUri, Uri redirectUri)

So we give you an Uri that will initiate the login process, show the user the login window, collect the password etc. Then AAD will use the redirectUri to respond with a Uri that contains an authorization code. MSAL will exchange this code for a token.

@jmprieur jmprieur added this to the 3.0 milestone Feb 4, 2019
@cormacpayne
Copy link
Author

@bgavrilMS awesome, thanks for the update, Bogdan

@jmprieur jmprieur added the Fixed label Feb 18, 2019
@jmprieur jmprieur mentioned this issue Feb 27, 2019
Merged
@jennyf19
Copy link
Collaborator

Fixed in MSAL 3.0.0-preview release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
3.0
Development

No branches or pull requests
4 participants
@cormacpayne @bgavrilMS @jmprieur @jennyf19