Comments (7)
@mukulb82 implicit flow is only implemented for single page applications, not web apps with a backend (which is what msal4j does, between other things).
You need to use msal.js
See Scenarios and supported platforms and languages
cc: @navyasric
from microsoft-authentication-library-for-java.
Hi @jmprieur thanks for quick response, i do understand you and i went through below documentation as well for implicit flow (https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-openid-connect-oauth-flows-scenarios#implicit-grant-flow) - which now i think may not serve our requirement.
So basically i do have requirement to implement a solution to integrate with ADFS from a Java based web application to acquire tokens (mainly access_token and id_token) and not refreshToken (preferably and if possible).
I'm currently trying to implement typically a auth-filter (in a springBoot application) which requests for acquiring tokens after validating the presence of exisitng tokens. thereafter if the required tokens are present and are valid and not-expired then the actual resource (which can be a REST URL) have to be called.
so, in this case do you prefer that I use : authoriization-code flow(https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-openid-connect-oauth-flows-scenarios#authorization-code-grant-flow) and not a implicit flow?
kindly suggest.
Thanks,
Mukul
from microsoft-authentication-library-for-java.
@mukulb82
you are right. you want to use the authorization code flow.
from microsoft-authentication-library-for-java.
okay great thanks @jmprieur .
i have one more related question to ask in case of authorization code flow.
question: How does the resource (could be any REST URL or web page or web-api) requested remains intact in the response from ADFS as the "redirect_uri" could be different from this originally requested resource by an end-user (usually through a web-browser)?
this means that as a developer how do i have a handle to the orginally requested resource so that the end-user is re-directed to this resource when the authentication is successful?
Thanks,
Mukul
from microsoft-authentication-library-for-java.
@mukulb82 : I'm not sure I entierely understand your question. The app can register several redirect URI s. The audience for the token is the AppIdURI of the Web API => it's related to the logical app, and therefore is the same even if you deployed the app at several places.
Usually in a Web app you will navigate to the resource (Web app), which will delegate to Azure AD the user authenticaiton, consent etc ... and then will redirect to the URL of chosen (and proposed by the app).
See https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-sign-user-app-registration?tabs=aspnetcore and the following pages
from microsoft-authentication-library-for-java.
Hi @jmprieur
I think i am trying to get what you mentioned. Let me also give you an example:
- Lets say my web application with host-name: http://myapp.example.com has several REST end-point implemented (may be using SpringBoot framework lets say)
- REST-end point could be from CRUD operations - /admin, /add, /delete, /view
- Now, lets say i have registered my application with ONLY with "http://myapp.example.com/admin" redirect-uri and now an end-user visits URL: http://myapp.example.com/view, so as per flow he would be redirected to a ADFS authorise end-point lets say http://myadfs.com/adfs/authorize?redirect_uri=**http://myapp.example.com/admin** because i registered with "http://myapp.example.com/admin" and then also some /token as a second step after receiving auth code.
So, now how the original requested URL which is - "http://myapp.example.com/view" be the user redirected??
- Below are my questions -
a) How does the original requested URL "http://myapp.example.com/view" (which is different fro what is registered) be called and will be available in the response ?
b) Do we need to register all the required URLs as part of client set up in ADFS management console?
Let me know if am able to make you clear here? Also i read about a resource parameter as part /authorize end-point ? is it helpful?
from microsoft-authentication-library-for-java.
@mukulb82 You can register multiple redirect-uris. When you make the call to acquire an authorization code, you pass the redirect-uri to which you would like the user to be redirected after they authorize. These will probably vary depending on your application logic/ what the user is trying to get access to.
Following your example, if you would like the user to be redirect back http://myapp.example.com/view after they are done authenticating, you would also register http://myapp.example.com/view and then pass it in as the query parameter to the authrozation code URL call. The user would then be redirected back to that page.
from microsoft-authentication-library-for-java.
Related Issues (20)
- Force a token refresh when claims are part of a silent request HOT 3
- Acquiring Token Interactively without Triggering Firewall? HOT 11
- Update dependencies and ensure consistency in both the main library and samples
- [Bug] MSAL4J interactive flow fails with Chrome version 123 HOT 6
- [Bug] OPTIONS preflight check is beaking the connection HOT 5
- [Bug] WAM Broker doesn't start from SWT UI HOT 5
- [Bug] Interactive flow with a JavaFX WebView based OpenBrowserAction incorrectly reports password as incorrect exactly once HOT 2
- [Bug] NoSuchMethodError (ConfidentialClientApplication$Builder.executorService): mssql-jdbc + msal4j (since v1.15.0) HOT 14
- [Feature Request] Add Opt in Probing logic to IMDS MI flow in Managed Identity Client HOT 6
- [Bug] Msal Uses Common Fork Join Thread Pool as Default Thread Pool to execute Auth requests. HOT 1
- [Feature Request] single logut function with logout_hint HOT 2
- [Feature Request] Need an API for Managed Identity to detect the current environment HOT 1
- [Bug] Discovery flow changes AAD Authority URL from login.partner.microsoftonline.cn to public cloud endpoint
- Use Rev API plugin in the builds to catch API regressions.
- [Bug] PublicClientApplication acts like confidential client application HOT 12
- [Supportability Bug] Deprecate ClientAssertion(string) as it leads to assertion expiration issues
- [Bug] DefaultHttpClient ignores supplied SSLSocketFactory HOT 4
- [Feature Request] Expose refreshOn in IAuthenticationResult HOT 8
- [Bug] http://127.0.0.1 does not work as redirect URI for AcquireTokenInteractive HOT 4
- [Bug] Release notes and git tag for version released on Maven Central is missing HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from microsoft-authentication-library-for-java.