MSAL vs msgraph-sdk-java-auth - azure-active-directory

I want to develop a Java Web App to consume some Microsoft Graph Services. According to Azure Portal's "Quick Start" tab, they recommend MSAL to authenticate and call the services (com.microsoft.aad.msal4j.*).
On the other hand, I've found https://github.com/microsoftgraph/msgraph-sdk-java-auth, which offers a nice API to use the services, but the last uptade is from more than a year.
Which should I use? I'm a bit afraid the SDK gets deprecated.
Thanks.

If you have a look at the dotnet version of this library, you'll see it uses MSAL. Whenever the Java msgraph auth library was started, MSAL Java wasn't ready. There's work that needs to be done to align the Java auth library with the dotnet one so it uses MSAL as well. I'd say go ahead and use the Java auth library keeping in mind a few things:
It will change as the required work gets done
Auth libraries for msgraph SDKs are all in preview and might change in the future
There's currently a limitation addressed by this pull request and that you can workaround as documented here

Related

How to authenticate react .netcore webapp's backend code using AAD?

i have created react dotnet core webapp and implemented AAD authnetication for front end using "react-adal".But not getting how can i authenticate backend.
Please suggest any approach !
It is recommended to use MSAL as ADAL is being deprecated.
Also, front end libraries uses implicit and auth code flow which will authenticate in front end itself. So, since you are using front end library it is not possible to auth with back end. For authenticating with BAckend use backend language like asp.net(we can use Msal.net library).
Here is a Sample on how to use MSAL with React to call Microsoft Graph.
The only different in your case will be that instead of calling Microsoft Graph, you will call your own API.
Bottomline is - there is no direct integration package yet for react. Which can also be read from the official statement on the msal-js repo:
After our current libraries are up to standards, we will begin
balancing new feature requests, with new platforms such as react and
node.js.
If you want to use .net core instead then please go through the sample here

Configuration of React app, .NET Core 3.1 API, and calls to Microsoft Graph

Is there a "best" way of achieving this?
Basically I want to leverage my company's Azure AD tenant to build a fully featured internal application. Using Microsoft Graph, I can retrieve users via their identifier guids, and use the identifiers as foreign keys for various tables in our on premises database, instead of having a dedicated User table, which would need to be populated and synced up with the AD. There are many other prospective uses for Graph, but leveraging users is the priority right now.
A large chunk of my application is built already. I am able to lock down my client app using the package react-aad-msal, requiring users to authenticate through single-sign-on. I have also successfully been able to pass that token back to the protected .NET Core API, accessing various endpoints as the authenticated user.
From here, I am not sure how I can develop the calls to Microsoft Graph. At which point should I make the connection? Should the client application connect to both the on-prem API, as well as Graph? Or should it only connect to the on-prem, which would then connect to Graph? Curious to know the pros and cons of either method.
I've also heard tell that Microsoft is working on their own package: #azure/msal-react, and that react-aad-msal should no longer be used (as it only supports msal 1.0 and not 2.0. I have no idea which version is better for my needs). While msal-react is still in development, apparently I should be using #azure/msal-browser. But I cannot find a good example of a react app using msal-browser to authenticate.
Here is a Sample on how to use MSAL with React to call Microsoft Graph.
The only different in your case will be that instead of calling Microsoft Graph, you will call your own API.
Bottomline is - there is no direct integration package yet for react. Which can also be read from the official statement on the msal-js repo:
After our current libraries are up to standards, we will begin
balancing new feature requests, with new platforms such as react and
node.js.
You can also use .net core instead. Please go through the sample here which can help.

Which Nuget package for Active Directory should I use?

I built an Azure WebAPI. I did not create the project with Authentication at the time it was first created. I added Active directory Authentication based on a code sample from Microsoft. It utilizes Microsoft.IdentityModel.Clients.ActiveDirectory which I got from NuGet. It works just fine.
I then created a WebAPI from VS 2017 and selected Authentication (using AD) at the time of project creation. It included Microsoft.AspNetCore.Authentication.AzureAD.UI.
I am not sure of the difference between these two NuGet modules nor which is better suited for my Azure WebAPI.
Then comes the modules to use in a .NET WPF client. There is no AuthorizationContext class (and others) in Microsoft.AspNetCore.Authentication.AzureAD.UI. Should I stick with Microsoft.IdentityModel.Clients.ActiveDirectory in the .NET WPF client or are there equivalents in Microsoft.AspNetCore.Authentication.AzureAD.UI?
For your web api project, answer is it depends on what you're trying to do from within the web api. For most simple scenarios where you just need to read/validate tokens, you should be good with the added Microsoft.AspNetCore.Aurthentication.JwtBearer nuget pacakges. More detailed question/answer available in this SO post
In case of your WPF client application although, you won't have much choice. You will need to work with ADAL or MSAL based on which AD version/endpoints you want to use. Also, in case of WPF client more probably than not you will need to acquire a token from Azure AD so internal operations (which library will take care of under the hood e.g. authenticationContext.AcquireTokenAsync) will be a little more involved than just reading the provided token from a header and hence the package.

Desktop client flow for MicrosoftAccount access to Azure Mobile Service API

I have followed Adrian Halls book to create a cross platform app with a Mobile Service API backend. I have successfully got unsecured access to the backend working from Android, iOS and Desktop (WPF) clients. I am moving on to adding security to the API using the Authorise attribute. I would like to add social authentication using MicrosoftAccount (formerly passport/Live ID).
Since Adrian wrote his book the Microsoft.Azure.Mobile.Client and the authentication and authorisation landscape seem to have moved on. The samples given in the book no longer build and Microsoft's social authentication and AAD authentication seem to have been rolled into one API.
I have spent days searching for up to date and relevant information but there seems to be lots of stuff on the internet that is either out of date or only shows examples of authenticating using Facebook or Google from Xamarin clients or authenticating against Azure AD.
I am using .NET 4.7 and WPF for the desktop app. I am also using Microsoft.Azure.Mobile.Client V4.0.1. and my questions are:
Should I be using the Microsoft.Identity.Client to authenticate users from my desktop client; and,
If so can someone point me to an example of the client flow that I need to follow, specifically how do I get the authorisation token that I need to pass to the new MobileServiceClient.LoginAsync() function that uses the identification provider and token parameters?
If so can someone point me to an example of the client flow that I need to follow, specifically how do I get the authorisation token that I need to pass to the new MobileServiceClient.LoginAsync() function that uses the identification provider and token parameters?
According to your requirement, you want to use client-flow authentication with MSA. As I known, MSA authentication uses the Live SDK for signing users.
Since Live SDK is deprecated, you could leverage OneDrive SDK for CSharp for logging with MSA, and you could follow the detailed steps for achieving this purpose:
Install the client libraries via NuGet:
Microsoft.OneDriveSDK
Microsoft.OneDriveSdk.Authentication
Log into Microsoft Account Developer Center and create your app, add the native application platform, then Register your app with Microsoft Account.
Then you could follow the code below and add to your WPF application as follows:
For more details about OneDrive SDK for CSharp, you could refer to here and Authentication Adapter for the OneDrive SDK.
UPDATE:
It's my fault. I did not mention that the above code would automatically open a web browser. Per my test, you could configure the parameter returnUrl to https://login.microsoftonline.com/common/oauth2/nativeclient when constructing your MsaAuthenticationProvider instance.
I was in a similar boat - and here is summary from the top of my head - There two security libraries currently in play for authorization- ADAL, and MSAL.
ADAL
This is the first library that came out, and services like B2C must each be handle separately using this library.
MSAL
One security framework to rule them all!
https://github.com/Azure-Samples/active-directory-xamarin-native-v2
This library has a go live license, but technically it's still in Beta.
Head to Mobile.azure.com for the last info in creating a mobile application, and this article on a V2 endpoint.
When you register an application for Authorization - there are two categories a "Converged" application, and a "Live SDK application" ( see https://apps.dev.microsoft.com/#/appList) - why they would choose these names is beyond me to understand. IMPORTANT Translation - Converged application ONLY work with MSAL, the other ONLY works with ADAL. THAT will go a long way for you to get the authentication working, as the Application / Client ID must match the correct SDK, and hence endpoint.
In the end, we chose to stay with ADAL for now as we were having problems with MSAL. MSAL is the future however, as all services will be incorporated, and it should be an easier SDK to use.
Here are some links that I kept, all of which refer to ADAL or MSAL:
http://aka.ms/aadv2
https://azure.microsoft.com/develop/identity
https://learn.microsoft.com/en-ca/azure/active-directory/develop/active-directory-authentication-scenarios#native-application-to-web-api
https://github.com/AzureAD
https://github.com/AzureAD/microsoft-authentication-library-for-dotnet
These links are about month old - HTH

Authenticate against Active Directory in .NET Core 1.0 application?

With the recent release of .NET Core 1.0, we're in the process of migrating our RC1 applications to the final release. The only piece we can't seem to figure out is how to integrate Active Directory authentication.
Previously in the RC1 applications, we had used the System.DirectoryServices.AccountManagement library to handle the LDAP authorization queries. However, we can no longer mix this library with .NET Core v1.
Generally, what is the best way to integrate Active Directory authentication into our applications using the libraries available for use in the .NET Core framework? IdentityServer, some other third party service like Auth0 or something else?
The Novell.LDAP library has been ported to .NET Core you can find it in NuGet. There are numerous samples available, including a verify password sample.
Best is subjective, really there's only one way right now, given the missing DirectoryServices namespace (which is planning for 1.1) - federation.
You'd have to install ADFS, and expose it to the internet. Then you configure it to act as an OAuth2 endpoint, and use the generic OAuth middleware to redirect logins to your ADFS server. You could also install the latest ADFS beta, which needs the latest Windows Server beta, and use OpenID Connect, but that's a lot of beta risks you may not find acceptable.
Or, if you just want the latest MVC pieces, run it on .NET Desktop, where you have full access to the directory services namespace.
The System.DirectoryServices namespace is currently being implemented in .NET Core, work is ongoing.
https://github.com/dotnet/corefx/issues/2089
Just want to say that they just issued a pre-release of the Microsoft.Windows.Compatibility which contains the System.DirectoryServices components needed to integrating with Active Directory
https://www.nuget.org/packages/Microsoft.Windows.Compatibility/2.0.0-preview1-25914-04

Resources