Skip to content
This repository has been archived by the owner on Jun 30, 2023. It is now read-only.

Acquiring tokens with username and password

Jean-Marc Prieur edited this page Feb 28, 2019 · 12 revisions

Important. There is currently a bug on the service side affecting users whose passwords has URL unfriendly characters. For details see Error in token acquisition when password contains special characters #1492

For historical reasons, ADAL.NET supports in some platforms (.NET framework) the user name and password flow.

Using username and password is not recommended

In general Microsoft does not advise customers to use it as it's less secure than the other flows, and it is not compatible with conditional access (if the resource requires conditional access, the call to AcquireTokenSilent will just fail, given that this is not an interactive flow, the STS does not have an opportunity to present a dialog to the user to tell him/her that s/he needs to do multiple factor authentication).

For more information about why you want to avoid using this grant, you can, for instance read the following article which explains why Microsoft is working to make passwords a thing of the past

Getting a token with a username and password (.NET Framework only)

You can get a token with a username and password by calling the same override as for the integrated windows authentication. You need to instanciate a UserPasswordCredential, and use the corresponding override of AcquireTokenAsync:

result = await context.AcquireTokenAsync(resource, clientId, new UserPasswordCredential("john@contoso.com", johnsPassword));

image

Note that this method is not available part of the AuthenticationContext class, but as an AcquireTokenAsync extension method of the AuthenticationContextIntegratedAuthExtensions class. This extension method takes as a parameter, in addition to the resource and clientId of the public client application an instance of UserCredential, which in fact is, in the case of username/password, an instance of UserPasswordCredential.

Using the username/password flow from PowerShell

The username/password override is actually not an override, but an extension method. If you need to use this flow in PowerShell please see the comments in issue #1130

Samples illustrating acquiring tokens with ADAL by username/password

Sample Description
active-directory-dotnet-native-headless A windows desktop program that demonstrates non-interactive authentication to Azure AD using a username & password and optionaly windows integrated authentication.
Clone this wiki locally