Wednesday, April 06, 2016

AAD : MSAL : Microsoft Authentication Library

This was announced at \\Build in Vittorio's presentation:

Microsoft Identity: State of the Union and Future Direction

and is further described here:

Microsoft Identity at //build/ 2016

"MSAL is a unified library that helps you to develop applications that work with Microsoft Accounts, Azure AD accounts and Azure AD B2C users indifferently – all in a single, streamlined programming model!"

So it targets the "converged model".

It's a "successor" to ADAL with the important proviso that it will not work with ADFS and the original Azure AD.

"ADAL is and remains the main means you have to work with the original Azure AD and with ADFS, which aren’t supported by MSAL. If you need a token for a service that today accepts only tokens from the original Azure AD, such as the Azure ARM API, you’ll want to keep using ADAL."

The NuGet package is here. Note that it is a prerelease.

The other change is that there is a new application portal at:

apps.dev.microsoft.com

The article has links to some sample code but I found the web app. one confusing.

I think Integrate Microsoft identity and the Microsoft Graph into a web application using OpenID Connect is a better sample (or another view: Integrate Microsoft identity and the Microsoft Graph into a web application using OpenID Connect).

Running the sample, we see:

So we can choose either the Microsoft account (MSA) (aka LiveID) or the work / school account (aka organisational account).

If we use the work / school account and display the claim, we see:


If we use the MSA account, we see:

so there are some minor differences.

Also of interest is the fact that although WS-Fed was used in the flow we are getting an OAuth JWT not a WS-Fed SAML token.

After we have logged in as both, the login screen looks like:


So both are "signed in" but you can only pick one at any one time.

When I sign in to the work or school account, we see:

GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=ce...3c
&redirect_uri=https%3a%2f%2flocalhost%3a44326%2f
&response_mode=form_post
&response_type=code+id_token
&scope=openid+email+profile+offline_access+offline_access
&state=OpenIdConnect.AuthenticationProperties%3dxK...Zi HTTP/1.1

which is OAuth (but note the V2 endpoint oauth2/v2.0/authorize)

This is followed by:

GET https://login.live.com/Me.srf?wa=wsignin1.0&idpflag=direct
&wreply=https%3A%2F%2Flogin.microsoftonline.com HTTP/1.1

which is WS-Fed

Not sure why both are invoked?

Early days - no doubt more documentation will be forthcoming.

Enjoy!

No comments: