Can't authenticate with Azure AD username and password

[jgogstad]

Hi,

Not sure if this belongs here or in the ADAL-repository, but it would be great if you could comment on it. I'm able to authenticate with keyvault with a client_id and client_secret, but not my own user. The latter is desirable for local dev environments.

Here's the implementation of the doAuthenticate(..) method in KeyVaultCredentials:

@Override
public String doAuthenticate(String authorization, String resource, String scope) {
    ExecutorService service = Executors.newFixedThreadPool(1);
    try {
        AuthenticationContext ctx = new AuthenticationContext(authorization, false, service);
        Future<AuthenticationResult> resp = ctx.acquireToken(resource, clientId, "myemail", "mypassowrd", null);
// This works fine:
//        Future<AuthenticationResult> resp = ctx.acquireToken(resource, new ClientCredential(clientId, clientSecret), null);
        return resp.get().getAccessToken();
    } catch (MalformedURLException | InterruptedException | ExecutionException e) {
        throw new RuntimeException(e);
    } finally {
        service.shutdown();
    }
}

A breakpoint in AdalTokenRequest#executeOAuthRequestAndProcessResponse shows the following error from the server:

{
  "error": "invalid_client",
  "error_description": "AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'.\r\nTrace ID: eee2fcf6-cbc8-47b7-8361-8c7d7c2a2e00\r\nCorrelation ID: 63bb7f15-b06b-405c-98be-4092afbde6cb\r\nTimestamp: 2017-05-23 09:11:27Z",
  "error_codes": [
    70002
  ],
  "timestamp": "2017-05-23 09:11:27Z",
  "trace_id": "eee2fcf6-cbc8-47b7-8361-8c7d7c2a2e00",
  "correlation_id": "63bb7f15-b06b-405c-98be-4092afbde6cb"
}

[jgogstad]

Note that this is exactly the same scenario as in the ADAL samples: https://github.com/AzureAD/azure-activedirectory-library-for-java/blob/dev/src/samples/public-client-app-sample/src/main/java/PublicClient.java, only difference is the authority (I tried using the one from the samples with no luck)

[RandalliLama]

It looks like you have registered your app as a confidential client (web app or web api). You cannot authenticate with username and password when the app is a confidential client. Only public clients, sometimes known as native clients, can do U/P authentication.

In general, U/P auth is discouraged. See this StackOverflow answer for a bit more detail.
https://stackoverflow.com/questions/28580848/how-to-authenticate-user-with-azure-active-directory-using-oauth-2-0/28597758#28597758

[jgogstad]

Thanks for the advice and URLs. You're absolutely right about the application being registered as "Web app / Web API". Changing to native client solved the issue.

[manoj1201]

It looks like you have registered your app as a confidential client (web app or web api). You cannot authenticate with username and password when the app is a confidential client. Only public clients, sometimes known as native clients, can do U/P authentication.

In general, U/P auth is discouraged. See this StackOverflow answer for a bit more detail.
https://stackoverflow.com/questions/28580848/how-to-authenticate-user-with-azure-active-directory-using-oauth-2-0/28597758#28597758

Thanks your advice, really solved auth issue.. Cheers.