Authentication with Azure Active Directory - how to accept user credentials programmatically

Question

Is there any way to login via web application or web api to Azure Active Directory (with AD credentials) using my own username and password page which is hosted outside of Azure?

From my investigation it seems there is no programmatic way to send username and password to authenticate users with Azure AD (if you hosted an app outside of Azure) Not sure if they consider this to be a security hole of some sort (i dont think it is it https is enforced?)

Seems like you can only authenticate users by going through the code grant (which means popping out of our application to sign on to an external site).

Ultimately I want to create a python flask api that can authenticate against Azure AD directly if possible. I have done this in the past (with other auth systems) with the Oauth grant_type=password to send username and pass, but dont think this is supported in Azure AD (correct me if im wrong?) I know grant_type=client_credentials is supported, but that seems like its service to service auth, which is not quite what im after http://msdn.microsoft.com/en-us/library/azure/dn645543.aspx

If its not possible to have a login page hosted outside of Azure for this, is it even possible to have one inside of Azure, seems like from examples here: http://msdn.microsoft.com/en-us/library/azure/bc8af4ff-66e7-4d5b-b3d4-c33d2c55d270#BKMK_Browser There is no custom login page with a password field .. (only open id logins it seems)

Answer 1

The Resource Owner Password Credentials Grant (grant_type=password) flow is supported by Azure Active Directory. However, before using it, consider if it is truly required. As it says in the OAuth 2.0 RFC:

The resource owner password credentials (i.e., username and password) can be used directly as an authorization grant to obtain an access token. The credentials should only be used when there is a high degree of trust between the resource owner and the client (e.g., the client is part of the device operating system or a highly privileged application), and when other authorization grant types are not available (such as an authorization code).

If you have determined that the other supported flows will definitely not work for your scenario, then also be sure to follow the second bit of advice in the RFC:

Even though this grant type requires direct client access to the resource owner credentials, the resource owner credentials are used for a single request and are exchanged for an access token. This grant type can eliminate the need for the client to store the resource owner credentials for future use, by exchanging the credentials with a long-lived access token or refresh token.

(Emphasis added in both cases.)

There's a .NET and ADAL sample on GitHub that uses this flow, and it should be simple enough to implement in Python: https://github.com/AzureADSamples/NativeClient-Headless-DotNet

Edit: You can host your application anywhere you want, it doesn't need to be on Azure. This applies to all flows.