-
Notifications
You must be signed in to change notification settings - Fork 137
Device Code Flow
Interactive authentication with Azure AD requires a web browser. However, in the case of devices and operating systems that do not provide a Web browser, Device code flow lets the user use another device (for instance another computer or a mobile phone) to sign-in interactively. By using the device code flow, the application obtains tokens through a two-step process especially designed for these devices/OS. Examples of such applications are applications running on iOT, or Command-Line tools (CLI). The idea is that:
-
Device Code Flow is only available on public client applications
-
The authority passed in the
PublicClientApplicationneeds to be:- tenanted (of the form
https://login.microsoftonline.com/{tenant}/wheretenantis either the guid representing the tenant ID or a domain associated with the tenant. - or any work and school accounts (
https://login.microsoftonline.com/organizations/)
Microsoft personal accounts are not yet supported by the Azure AD v2.0 endpoint (you cannot use /common or /consumers tenants)
- tenanted (of the form
PublicClientApplication app = PublicClientApplication.builder(PUBLIC_CLIENT_ID)
.authority(AUTHORITY)
.build();
Consumer<DeviceCode> deviceCodeConsumer = (DeviceCode deviceCode) -> {
System.out.println(deviceCode.message());
};
CompletableFuture<IAuthenticationResult> future = app.acquireToken(
DeviceCodeFlowParameters.builder(scope, deviceCodeConsumer).build());
future.handle((res, ex) -> {
if(ex != null) {
System.out.println("message - " + ex.getMessage());
return "Unknown!";
}
System.out.println("Access Token - " + res.accessToken());
System.out.println("ID Token - " + res.idToken());
return res;
});
future.join();
In case you want to learn more about Device code flow:
- Home
- Why use MSAL4J
- Register your app with AAD
- Scenarios
- Client Applications
- Acquiring tokens
- IAuthenticationResult
- Calling a protected API