-
Notifications
You must be signed in to change notification settings - Fork 214
Acquiring tokens with username and password
Important. There is currently a bug on the service side affecting users whose passwords has URL unfriendly characters. For details see Error in token acquisition when password contains special characters #1492
For historical reasons, ADAL.NET supports in some platforms (.NET framework) the user name and password flow.
In general Microsoft does not advise customers to use it as it's less secure than the other flows, and it is not compatible with conditional access (if the resource requires conditional access, the call to AcquireTokenSilent
will just fail, given that this is not an interactive flow, the STS does not have an opportunity to present a dialog to the user to tell him/her that s/he needs to do multiple factor authentication).
For more information about why you want to avoid using this grant, you can, for instance read the following article which explains why Microsoft is working to make passwords a thing of the past
You can get a token with a username and password by calling the same override as for the integrated windows authentication. You need to instanciate a UserPasswordCredential
, and use the corresponding override of AcquireTokenAsync
:
result = await context.AcquireTokenAsync(resource, clientId, new UserPasswordCredential("john@contoso.com", johnsPassword));
Note that this method is not available part of the
AuthenticationContext
class, but as anAcquireTokenAsync
extension method of theAuthenticationContextIntegratedAuthExtensions
class. This extension method takes as a parameter, in addition to the resource and clientId of the public client application an instance ofUserCredential
, which in fact is, in the case of username/password, an instance ofUserPasswordCredential
.
The username/password override is actually not an override, but an extension method. If you need to use this flow in PowerShell please see the comments in issue #1130
Sample | Description |
---|---|
active-directory-dotnet-native-headless | A windows desktop program that demonstrates non-interactive authentication to Azure AD using a username & password and optionaly windows integrated authentication. |
- Home
- Why use ADAL.NET?
- Register your app with AAD
- AuthenticationContext
- Acquiring Tokens
- Calling a protected API
- Acquiring a token interactively
- Acquiring tokens silently
- Using Device Code Flow
- Using Embedded Webview and System Browser in ADAL.NET and MSAL.NET
- With no user
- In the name of a user
- on behalf of (Service to service calls)
- by authorization code (Web Apps)
- Use async controller actions
- Exception types
- using Broker on iOS and Android
- Logging
- Token Cache serialization
- User management
- Using ADAL with a proxy
- Authentication context in multi-tenant scenarios
- Troubleshooting MFA in a WebApp or Web API
- Provide your own HttpClient
- iOS Keychain Access