UserPasswordCredential not supported with .Net Core

Question

I have to fetch the group members from the Azure Active Directory using Microsoft graph API. For that I need authorization token. I have a method in .NET that is authenticating to an API as a user and I am using UserPasswordCredential method to fetch access token (by passing username and password).

private static string aadInstance =
ConfigurationManager.AppSettings["ida:AADInstance"];
private static string tenant = 
ConfigurationManager.AppSettings["ida:Tenant"];
private static string clientId = 
ConfigurationManager.AppSettings["ida:ClientId"];
private static string graphResourceId = 
ConfigurationManager.AppSettings["ida:GraphResourceId"];
private static string graphApiVersion = 
ConfigurationManager.AppSettings["ida:GraphApiVersion"];
private static string graphApiEndpoint = 
ConfigurationManager.AppSettings["ida:Gra`phEndpoint"];
private static string appKey = 
ConfigurationManager.AppSettings["ida:appKey"];
private static string authority = 
String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
Uri redirectUri = new 
Uri(ConfigurationManager.AppSettings["ida:RedirectUri"]);
private AuthenticationContext authContext = null;
private ClientCredential clientCredential = null;

public MainWindow()
{
InitializeComponent();
authContext = new AuthenticationContext(authority);
clientCredential = new ClientCredential(clientId, appKey);
CheckForCachedToken();
}

public async void GetToken()
{
AuthenticationResult result = null;
try
{
    UserCredential uc = new UserCredential("username", "password");
    result = await authContext.AcquireTokenAsync(graphResourceId, clientId, uc);
}
catch (AdalException ex)
{
    if (ex.ErrorCode != "user_interaction_required")
    {
        MessageBox.Show(ex.Message);
    }
    return;
 }
 }

But when I upgraded the solution to .Net Core, this has broken .i.e UserPasswordCredential class is not supported in .NET core. Is there any workaround for this?

Basically this flow is not recommended as it does not work in a lot of cases and also exposes the password to your app, kind of diminishing the usefulness of federated authentication. Modern apps should be using other flows like authorization code/client credentials/device code. — juunas, Nov 16 '18 at 08:50

Aravind · Answer 1 · 2018-11-16T10:33:50.130

2

In dot net core this is not supported by Design. Hardcoding the username and the password is not a recommended way to authenticate to azure AD. In most cases the login will happen via login.live.com or if you use other identity providers like google, facebook etc it would be their login page.

Looks like you are using a windows application you can check the options for it.

Samples for various authentication options are available for reference.

Token based authentication flow is a good way to do this. The whole point of going away from username/password option is if your application handles username or password in some way it is not safe. That is why it is left for the identity provider's responsibility to do that. In case you don't want to do this way you can check the App only option Is a browser required for Onedrive/Graph Authentication

You can also see if the usage of Microsoft Authenticator app is an option. But this is mainly for adding the second factor authentication to your mobile apps.

edited Nov 16 '18 at 10:33

answered Nov 16 '18 at 09:07

Aravind

4,125
1
28
39

1

Based on the code, this is a public client so Client Credentials flow with app permissions is not the best idea (as the client cannot keep the secret). – juunas Nov 16 '18 at 09:28
@juunas If we take a native client /mobile app the flow will be authentication via browser or webview popup and then onto the web api which would have already been registered as an application with the AD. And then the AD issues authorize token on successful authentication and then the client sends another request with that token and the AD verifies all details about the client and then sends an access token and refresh token .And all communication is over https. I mean code change here and as well as an API has to be introduced. – Aravind Nov 16 '18 at 09:57
1

Sure, it's just that you suggest the app permissions option which implies client credentials, which should not be used from a native app. – juunas Nov 16 '18 at 10:00
@Aravind the flow will be the same as you mentioned, problem is with the first step acquiring token without having a browser or pop-up web-view. I want this to be done by .core API pragmatically. Once I have the token i can use it with the request to microsoft graph API. – Noman Fareed Nov 16 '18 at 10:17
@juunas when I meant by app permissions I meant registering a web api or the native or mobile app with AAD – Aravind Nov 16 '18 at 10:20
@NomanFareed The point is if your application handles username or password in some way it is not safe. That is why it is left for the identity provider's responsibility to do that. In case you don't want to do this way you can check the App only option. https://stackoverflow.com/questions/44959159/is-a-browser-required-for-onedrive-graph-authentication – Aravind Nov 16 '18 at 10:30
1

@NomanFareed, given that you want to query the Microsoft Graph, I would rather recommend you use MSAL.NET. See https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/scenarios for all the possible scenarios and chose the one which is best adapted to your case. For samples: https://aka.ms/aaddevsamplesv2 – Jean-Marc Prieur Nov 16 '18 at 11:44

UserPasswordCredential not supported with .Net Core

1 Answers1