Support of implicit flow in msal4j to acquire tokens about microsoft-authentication-library-for-java HOT 7 CLOSED

@mukulb82 implicit flow is only implemented for single page applications, not web apps with a backend (which is what msal4j does, between other things).
You need to use msal.js

See Scenarios and supported platforms and languages

cc: @navyasric

from microsoft-authentication-library-for-java.

Hi @jmprieur thanks for quick response, i do understand you and i went through below documentation as well for implicit flow (https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-openid-connect-oauth-flows-scenarios#implicit-grant-flow) - which now i think may not serve our requirement.

So basically i do have requirement to implement a solution to integrate with ADFS from a Java based web application to acquire tokens (mainly access_token and id_token) and not refreshToken (preferably and if possible).

I'm currently trying to implement typically a auth-filter (in a springBoot application) which requests for acquiring tokens after validating the presence of exisitng tokens. thereafter if the required tokens are present and are valid and not-expired then the actual resource (which can be a REST URL) have to be called.

so, in this case do you prefer that I use : authoriization-code flow(https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-openid-connect-oauth-flows-scenarios#authorization-code-grant-flow) and not a implicit flow?

kindly suggest.

Thanks,
Mukul

from microsoft-authentication-library-for-java.

@mukulb82
you are right. you want to use the authorization code flow.

from microsoft-authentication-library-for-java.

okay great thanks @jmprieur .

i have one more related question to ask in case of authorization code flow.

question: How does the resource (could be any REST URL or web page or web-api) requested remains intact in the response from ADFS as the "redirect_uri" could be different from this originally requested resource by an end-user (usually through a web-browser)?

this means that as a developer how do i have a handle to the orginally requested resource so that the end-user is re-directed to this resource when the authentication is successful?

Thanks,
Mukul

from microsoft-authentication-library-for-java.

@mukulb82 : I'm not sure I entierely understand your question. The app can register several redirect URI s. The audience for the token is the AppIdURI of the Web API => it's related to the logical app, and therefore is the same even if you deployed the app at several places.

Usually in a Web app you will navigate to the resource (Web app), which will delegate to Azure AD the user authenticaiton, consent etc ... and then will redirect to the URL of chosen (and proposed by the app).
See https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-sign-user-app-registration?tabs=aspnetcore and the following pages

from microsoft-authentication-library-for-java.

Hi @jmprieur

I think i am trying to get what you mentioned. Let me also give you an example:

1. Lets say my web application with host-name: http://myapp.example.com has several REST end-point implemented (may be using SpringBoot framework lets say)
2. REST-end point could be from CRUD operations - /admin, /add, /delete, /view
3. Now, lets say i have registered my application with ONLY with "http://myapp.example.com/admin" redirect-uri and now an end-user visits URL: http://myapp.example.com/view, so as per flow he would be redirected to a ADFS authorise end-point lets say http://myadfs.com/adfs/authorize?redirect_uri=**http://myapp.example.com/admin** because i registered with "http://myapp.example.com/admin" and then also some /token as a second step after receiving auth code.

So, now how the original requested URL which is - "http://myapp.example.com/view" be the user redirected??

4. Below are my questions -

a) How does the original requested URL "http://myapp.example.com/view" (which is different fro what is registered) be called and will be available in the response ?
b) Do we need to register all the required URLs as part of client set up in ADFS management console?

Let me know if am able to make you clear here? Also i read about a resource parameter as part /authorize end-point ? is it helpful?

from microsoft-authentication-library-for-java.

@mukulb82 You can register multiple redirect-uris. When you make the call to acquire an authorization code, you pass the redirect-uri to which you would like the user to be redirected after they authorize. These will probably vary depending on your application logic/ what the user is trying to get access to.

Following your example, if you would like the user to be redirect back http://myapp.example.com/view after they are done authenticating, you would also register http://myapp.example.com/view and then pass it in as the query parameter to the authrozation code URL call. The user would then be redirected back to that page.

from microsoft-authentication-library-for-java.