Using Azure AD to authenticate public clients to SQL Azure

Azure AD enables access authorization to SQL Azure as an alternative to providing username/password information in the connection string: https://azure.microsoft.com/en-us/documentation/articles/sql-database-aad-authentication/. It is somewhat analogous to using Windows Authentication when both the client and the database are on a Windows domain network. It is particularly useful on public (non-confidential) clients where storing secrets is inappropriate and…

0

Using Redis as ADAL token cache

Here is a sample TokenCache class implementation using Redis for use with the Active Directory Access Library (ADAL). The library is used for obtaining tokens from Azure AD or AD FS using the OAuth2 protocol. This implementation is intended for web applications acting as OAuth2 or OpenIDConnect clients. Typical use of this class is in the…

0

Single SignOn is easy, Single Signout is not

Single Sign In relies on the token issuer holding on to a cookie, which tells it about the user identity after the first signin. The issuer can then respond to a new signin request in whatever protocol it comes in (WSFed, SAML, OpendIDConnect, etc.). Single Signout requires that the token server holds both a list…

0

Azure AD client certificate rollover

This Azure AD sample shows how to use OAuth2 Client Credential flow with an X509 certificate for authentication. Here is a procedure I use to periodically rollover the certificates. In order to maintain continuous ability to authenticate a client you will want to define at least two certificates so that as you replace one, the other…

0

Changing user password in Azure AD using GraphAPI

The following pertains to a very specific scenario: You use Azure AD for some applications (e.g. Office365), but… …one of your applications does NOT use Azure AD (yet). It has its own authentication store and method (e.g. forms authn). However, you want to keep the application’s credentials in sync with AAD. Basically, allow same signon…

2

Passive is good!

Some time back I wrote about avoiding handling of credentials (creation/maintenance/verification of user names, passwords, pins, etc.) in your own application code, but rather delegating that functionality to a specialized, external identity provider (IdP; http://blogs.msdn.com/b/mrochon/archive/2014/12/02/should-an-application-handle-user-credentials.aspx). This aversion should apply to even collection of credentials (e.g. asking the user for user name/password). Even that role should be delegated…

0

Using OAuth2 with SOAP

I started at Microsoft when SOAP was all the rage, before there was such a thing as WCF. So it is with some nostalgia that I tried to combine one of latest technologies: Universal App Platform (UAP) with SOAP using OAuth2 protocol for authentication. One possible application of this approach would be for folks who…

0

ServiceBus, Azure AD, OAuth and Shared Access Signature

Most Service Bus examples use symmetric keys directly in applications needing access to the ServiceBus, usually as part of the connection string. That approach does not work so well with widely distributed applications, e.g. desktop or mobile apps. Another important Azure service becomes very useful here: Azure Active Directory. One of the goals of AAD is to provide role and…

0

Should an application handle user credentials?

I think the answer is ‘no’ or ‘only under special circumstances’ (see Exceptions below) but would be interested in your comments. By ‘own credential management’ I mean have own store of user names AND passwords and code to challenge users for the credentials, create them, reset passwords, etc. The alternative I am recommending is for the application to use…

0