3

I have a mobile app which gets token directly from azure login. And I have a service which is using adal4j in spring boot. I cannot use the mobile generated token to authenticate spring service. Becase I use two different azure app registrations for mobile and web service. Is there a way to accomplish this ?

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
chan4lk
  • 107
  • 2
  • 8

3 Answers3

1

Yes, the OAuth 2.0 on-behalf-of flow should applies to your scenario. These steps constitute the On-Behalf-Of flow.

enter image description here

Tony Ju
  • 14,891
  • 3
  • 17
  • 31
1

My understanding is that you have created 2 Enterprise Applications in Azure. 1) An Enterprise Application for your mobile app (Type: Native) 2) An Enterprise Application for your Web API app (Type: WebAPI)

For native app, you will not need a client secret but you will need a client secret for the Web API app.

Now coming to the key configurations: In both of these, please update the manifest file to have oauth2AllowImplicitFlow set to true Also, in your Web API Enterprise Application, please have the app id of your native app in the known client apps "knownClientApplications": ["

Now, when calling your Web API through an end-point from the Native application, pass your token in your request header as "Authorization": "Bearer "

Also note: if you need to retrieve group claims, please update the manifest in both your enterprise apps to have the following setting for this property "groupMembershipClaims": "SecurityGroup"

Update: Under permissions in the native app, please add the Web API app registration to allow access

Ganesh Prabhu
  • 26
  • 3
  • I also selected required permissions for native app and pointed web api registration and it worked. – chan4lk Mar 14 '19 at 19:58
0

Azure AD issues a token for certain resource (which is mapped to an Azure AD app). When we call AcquireToken(), we need to provide a resourceID, only ONE resourceID. The result would have a token that can only be used for the supplied resource (id). There are ways where you could use the same token , but it is not recommended as it complicates operations logging, authentication process tracing, etc. Therefore it is better to look at the other options provided by Azure and the ADAL library. The ADAL library supports acquiring multiple access-Tokens for multiple resources using a refresh token. This means once a user is authenticated, the ADAL’s authentication context, would be able to generate an access-token to multiple resources without authenticating the user again.

Further details here.

Chamila Maddumage
  • 3,304
  • 2
  • 32
  • 43