services | platforms | endpoint | page_type | languages | author | products | description | urlFragment | |||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
active-directory |
Java |
Microsoft identity platform |
sample |
|
ramya25 |
|
This sample demonstrates how to use MSAL4J to sign-in users using windows Integrated Auth (WIA) in apps that run on a domain joined or AAD joined Windows machine. |
Integrated-Windows-Auth-Flow |
Invoking an API protected by Microsoft identity platform with users signed-in with Integrated Windows Authentication, on a Windows domain joined or AAD joined machine
This sample demonstrates how to use MSAL4J for apps running on a domain joined or AAD joined Windows machine that wish to authenticate using Windows Integrated Authentication It enables these apps to:
- Authenticate the user signed-in on the Windows machine
- Call a web API (in this case, the Microsoft Graph)
If you would like to get started immediately, skip this section and jump to How To Run The Sample.
The application obtains tokens through Integrated Windows Authentication (Kerberos):
- Developers who wish to gain good familiarity of programming for Microsoft Graph are advised to go through the An introduction to Microsoft Graph for developers recorded session.
To run this sample, you'll need:
- Working installation of Java and Maven
- An Azure Active Directory (Azure AD) tenant. For more information on how to get an Azure AD tenant, see How to get an Azure AD tenant
- One or more user accounts in your Azure AD tenant.
To successfully use this sample, you need a working installation of Java and Maven.
From your shell or command line:
git clone https://github.com/Azure-Samples/ms-identity-java-desktop.git
cd "Integrated-Windows-Auth-Flow"
or download and extract the repository .zip file.
To register the project, you can follow the steps in the paragraphs below:
As a first step you'll need to:
- Sign in to the Azure portal using either a work or school account or a personal Microsoft account.
- If your account is present in more than one Azure AD tenant, select your profile at the top right corner in the menu on top of the page, and then switch directory. Change your portal session to the desired Azure AD tenant.
- In the portal menu, select the Azure Active Directory service, and then select App registrations.
In the next steps, you might need the tenant name (or directory name) or the tenant ID (or directory ID). These are presented in the Properties of the Azure Active Directory window respectively as Name and Directory ID
-
Navigate to the Microsoft identity platform for developers App registrations page.
-
Select New registration.
- In the Name section, enter a meaningful application name that will be displayed to users of the app, for example
iwa-console
. - In the Supported account types section, select Accounts in any organizational directory.
- Click Register button at the bottom to create the application.
- In the Name section, enter a meaningful application name that will be displayed to users of the app, for example
-
On the application Overview page, find the Application (client) ID and Directory (tenant) ID values and record it for later. You'll need it to configure the configuration file(s) later in your code.
-
In the list of pages for the app, select Manifest, and:
- In the manifest editor, set the allowPublicClient property to true
- Select Save in the bar above the manifest editor.
-
In the list of pages for the app, select API permissions
- Click the Add a permission button and then,
- Ensure that the Microsoft APIs tab is selected
- In the Commonly used Microsoft APIs section, click on Microsoft Graph
- In the Delegated permissions section, ensure that the right permissions are checked: User.Read, User.ReadBasic.All. Use the search box if necessary.
- Select the Add permissions button
-
At this stage permissions are assigned correctly but the client app does not allow interaction. Therefore no consent can be presented via a UI and accepted to use the service app. Click the Grant/revoke admin consent for {tenant} button, and then select Yes when you are asked if you want to grant consent for the requested permissions for all account in the tenant. You need to be an Azure AD tenant admin to do this.
- Open the
src\main\resources\application.properties
file - Set the
CLIENT_ID
property to the client ID value you recorded earlier - Set the
USER_NAME
property to yourWindows signed-in user ID
From your shell or command line:
$ mvn clean compile assembly:single
This will generate a public-client-integrated-windows-authentication-sample-1.0.0.jar
file in your /targets directory. Run this using your Java executable like below:
$ java -jar public-client-integrated-windows-authentication-sample-1.0.0.jar
Simply run the .jar file as described in step 5 or run the main method of IntegratedWindowsAuthFlow.java
in your IDE to watch the sample acquire a token for the user you configured.
The code to acquire a token is located entirely in src\main\java\IntegratedWindowsAuthFlow.Java
. The public client application is created using the MSAL build pattern, by passing the Application ID, an authority, and an implementation of the token cache interface.
PublicClientApplication pca = PublicClientApplication.builder(clientId)
.authority(authority)
.setTokenCacheAccessAspect(tokenCacheAspect)
.build();
A call to acquire the token is first made using the public client application, by creating a SilentParameters
object to send to the application's acquireTokenSilently()
method. The SilentParameters
builder takes in an account (taken from the token cache) and a set of scopes. acquireTokenSilently()
retrieves that account's token from the cache if one exists and isn't expired. If the token is expired, an attempt to retireve a new token is made if the cache contains a refresh token.
If there is no token in the cache for the given account or some issue occurs when trying to use a refresh token, the code falls back to the username/password flow described below
SilentParameters silentParameters =
SilentParameters
.builder(scope)
.account(account)
.build();
result = pca.acquireTokenSilently(silentParameters).join();
A call to acquire the token is first made using the public client application, by creating an IntegratedWindowsAuthenticationParameters
object to send to the application's acquireToken()
method. The IntegratedWindowsAuthenticationParameters
builder takes in the username of a user and a set of scopes. acquireToken()
attempts to acquires a token from the authority configured in the application via the Integrated Windows Authentication flow.
IntegratedWindowsAuthenticationParameters parameters =
IntegratedWindowsAuthenticationParameters
.builder(scope, username)
.build();
result = pca.acquireToken(parameters).join();
Use Stack Overflow to get support from the community.
Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before.
Make sure that your questions or comments are tagged with [msal
java
].
If you find a bug in the sample, please raise the issue on GitHub Issues.
To provide a recommendation, visit the following User Voice page.
If you'd like to contribute to this sample, see CONTRIBUTING.MD.
This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
For more information, see MSAL4J conceptual documentation.
-
Quickstart: Configure a client application to access web APIs
-
About how OAuth 2.0 protocols work in this scenario and other scenarios, see Authentication Scenarios for Azure AD.
-
Customizing Token cache serialization (was not done in this sample, but you might want to add a serialized cache)
For more information about the Microsoft identity platform endpoint see: