I am developing a client-server application. In the usage of this application, clients and server have same AD (Active Directory) domain.
I want my server application to authenticate every client by its AD user. That means, that when a user runs an instance of the client application, the server should understand which AD user is using this instance of application and authenticate it. So, client application must send some information to server.
One solution is sending the user AD username. Because of security reasons, this solution isn't acceptable.
Another solution is sending user AD token (which is given to the AD user on logging in to windows). In this solution the server can check validity of this token and so it can recognize the client AD user and authenticate it. Now the problem is that in implemention of client's application, I don't know how to get the AD token.
I am using C# to implement the client application. Can you please help me with that? Or do you have better solution for this kind of authentication?
An access token contains claims that you can use in Azure Active Directory B2C (Azure AD B2C) to identify the granted permissions to your APIs. When calling a resource server, an access token must be present in the HTTP request. An access token is denoted as access_token in the responses from Azure AD B2C.
An access token is a tiny piece of code that contains a large amount of data. Information about the user, permissions, groups, and timeframes is embedded within one token that passes from a server to a user's device.
See Get an Azure Active Directory token using a service principal. Register an application with the Azure AD endpoint in Azure portal. Follow the instructions in Quickstart: Register an app with the Azure Active Directory v1.0 endpoint. Alternatively, you can use an app that is already registered.
Another solution is sending user AD token (which is given to the AD user on logging in to windows). In this solution the server can check validity of this token and so it can recognize the client AD user and authenticate it. Now the problem is that in implemention of client's application, I don't know how to get the AD token.
Access tokens enable clients to securely call protected web APIs, and are used by web APIs to perform authentication and authorization. Per the OAuth specification, access tokens are opaque strings without a set format - some identity providers (IDPs) use GUIDs, others use encrypted blobs.
The Azure AD middleware has built-in capabilities for validating access tokens, and you can browse through our samples to find one in the language of your choice. There are also several third-party open-source libraries available for JWT validation - there is at least one option for almost every platform and language.
Get clientid/appid, secret key from azure portal and the below to get token. Your directory name can be found by clicking your account on top right.
string tenantName = "yourdirectoryName.OnMicrosoft.com";
string authString = "https://login.microsoftonline.com/" + tenantName;
AuthenticationContext authenticationContext = new AuthenticationContext(authString, false);
// Config for OAuth client credentials
ClientCredential clientCred = new ClientCredential(clientId, appKey);
string resource = "https://graph.windows.net";
string token;
try
{
AuthenticationResult authenticationResult = authenticationContext.AcquireToken(resource, clientCred);
token = authenticationResult.AccessToken;
}
catch (AuthenticationException ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Acquiring a token failed with the following error: {0}", ex.Message);
if (ex.InnerException != null)
{
Console.WriteLine("Error detail: {0}", ex.InnerException.Message);
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With