Search code examples
azure-active-directoryadalazure-authentication

Azure AD authentication without redirecting the user

I’ve been looking at the many samples in the Azure Active Directory Code Samples and I can’t seem to find one that matches my scenario.

The examples I’ve found has a sign in button that once clicked, redirects the user to this URL https://login.microsoftonline.com allowing the user to authenticate.

Upon a successful authentication, the user is redirected back to the initial website.

Although my scenario is somewhat similar, the only difference is that I do not wish to redirect the user to this https://login.microsoftonline.com page.

If possible, I’d like the user to enter his username/password inside my textboxes and send them to ADAL in order to obtain a token.

As far as I understand, since I’m inside an ASP.NET MVC application, Azure AD is expecting a client_secret as opposed to a user’s username/password.

In other words, it seems the only way to achieve my task is to:

  • Continue with the approach of sending the user to this https://login.microsoftonline.com page.
  • b) Get a client id and a secret. Authenticate the MVC application as a whole as opposed to authenticate per user basis.

I’m not sure if my question makes sense (or not) so feel free to ask for clarification.

Thanks

Solution

  • It is not recommend to use the Resource owner password credentials flow in this scenario. It is more like phishing site if the users doesn't trust your web app.

    The resource owner password credentials (i.e., username and password) can be used directly as an authorization grant to obtain an access token. The credentials should only be used when there is a high degree of trust between the resource owner and the client (e.g., the client is part of the device operating system or a highly privileged application), and when other authorization grant types are not available (such as an authorization code).

    The redirection to the identity provider is expected when we choose a interactive flow of OAuth 2 Authorization Framework because this is how it works!

    OAuth 2 Authorization Framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.

    And more detail about OAuth2, please refer rfc6749 specifiction.

    In addition, if you are interested in company branding, below article is also helpful.

    Add company branding to your sign-in and Access Panel pages