Blog

I’ve been working in the last weeks on an integration service for a complex system based on Azure. I was trying to find a way to authenticate in the Azure Directory, basically getting the access token for the future requests to the system without the login popup window from Microsoft, very usual to see in similar cases, like integrations with Facebook or other services.Microsoft Azure Active Directory (AD) has already an authentication library (ADAL), but unfortunately nothing for the language I was using at the moment, GoLang. Faced with this situation, I was forced to find a solution.                                                                                      . . .  OAuth 2.0OAuth 2 is a protocol for authorization that enables applications to obtain limited access to the users' accounts on an HTTP service.I will not explain here all the protocols, you can check it here, just the authorization grant types.OAuth 2 has four grant types. Password; Client credentials; Implicit; Authorization Code; With this information and to solve my problem I choose the Password Grant. For similar scenarios, when you have trusted first-party or third-party clients both on web and in native applications this offers to the final user the best experience. For more information about OAuth2.0 you can read here.                                                                                                  . . . Microsoft Azure Active Directory and OAuth 2At this point I start to look at how to use this Password grant type in Azure AD and the documentation from Microsoft it is not useful. They only focus on the others grant flows used in different scenarios, for example: Authorization Code for Web Server application Implicit Grant for native application Client Credentials for Service application But Resource Owner Password Credentials Grant type is also supported since version 1.1 in Azure AD.This is also based on http request but without URL redirection, for more information about this flow you can read here.So for this specific case, when we have an integration service, ex. a windows service, to get information from a trust target application, this is the best option.                                                                                          . . .How to useTo use this method to get the token in Azure AD OAuth 2, we need to use the following web service request:https://login.microsoftonline.com/<TenantId>/oauth2/token Content-Type: application/x-www-form-urlencoded Host: login.microsoftonline.com TenantId: <MY_HOST> (for example “mywebsite.com”) WS: /oauth2/token Parameters to use in Body request: grant_type: password client_id: The Client Id value from Azure AD resource: The app id value of the application you want an access token to client_secret: The Client Secret value from Azure AD username: The user name of a user account in the Azure AD instance password: The password of the user account Request result: HTTP/1.1 200 OKContent-Type: application/json; charset=utf-8{ "token_type":"Bearer", "expires_in":"600", "expires_on":"1511533698", "not_before":"1511533698", "resource":"*resource*", "access_token":"*token*","refresh_token":"*token*", "scope":"user_impersonation"} Finally you have your token to use in your application. Result access token exampleHave you ever had this need for something similar, have another approach? Please let me know.I hope this information will be useful for any future development.@medium