Trying to get clarity as to if the current v2.0 endpoint supports the Daemons and server-side apps flow.
This article talks about the flows: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-flows
It states:
This article describes the types of apps that you can build by using Azure AD v2.0, regardless of your preferred language or platform. The information in this article is designed to help you understand high-level scenarios before you start working with the code.
Further it states:
Currently, the types of apps in this section are not supported by the v2.0 endpoint, but they are on the roadmap for future development. For additional limitations and restrictions for the v2.0 endpoint
In the end I'm trying to build an app that connects to the Graph API that on a schedule connects to the API with "credentials" that allow it to access the API on behalf of a user that has allowed it to.
In my test harness I can get a token using:
var pca = new PublicClientApplication(connector.AzureClientId)
{
RedirectUri = redirectUrl
};
var result = await pca.AcquireTokenAsync(new[] {"Directory.Read.All"},
(Microsoft.Identity.Client.User) null, UiOptions.ForceLogin, string.Empty);
In the same harness I cannot get a token using:
var cca = new ConfidentialClientApplication(
connector.AzureClientId,
redirectUrl,
new ClientCredential(connector.AzureClientSecretKey),
null) {PlatformParameters = new PlatformParameters()};
var result = await cca.AcquireTokenForClient(new[] { "Directory.Read.All" }, string.Empty);
This will result in:
Exception thrown: 'Microsoft.Identity.Client.MsalServiceException' in mscorlib.dll
Additional information: AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope Directory.Read.All is not valid. Trace ID: dcba6878-5908-44a0-95f3-c51b0b4f1a00 Correlation ID: 1612e41a-a283-4557-b462-09653d7e4c21 Timestamp: 2017-04-10 20:53:05Z
The MSAL package, Microsoft.Identity.Client (1.0.304142221-alpha), has not been updated since April 16, 2016. Is that even the package I should be using?
Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.
v2.0. Authenticate a broader set of Microsoft identities through what has been known as the Azure AD v2. 0 endpoint, using Microsoft Authentication Library (MSAL), Azure portal, and Microsoft Graph API.
The OAuth 2.0 is the industry protocol for authorization. It allows a user to grant limited access to its protected resources. Designed to work specifically with Hypertext Transfer Protocol (HTTP), OAuth separates the role of the client from the resource owner.
A daemon application requires its own identity. This type of application requests an access token by using its application identity and presenting its application ID, credential (password or certificate), and application ID URI to Azure AD.
When using client credentials flow with Azure AD V2.0 , the value passed for the scope
parameter in this request should be the resource identifier (Application ID URI) of the resource you want, affixed with the .default
suffix. For the Microsoft Graph example, the value is https://graph.microsoft.com/.default.
Please click here for more details . And here is a tutorial for using client credentials flow with Azure AD V2.0 endpoint.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With