{"id":2388,"date":"2013-09-12T10:00:36","date_gmt":"2013-09-12T17:00:36","guid":{"rendered":"http:\/\/www.cloudidentity.com\/blog\/?p=2388"},"modified":"2024-07-02T15:08:28","modified_gmt":"2024-07-02T22:08:28","slug":"active-directory-authentication-library-adal-v1-for-net-general-availability","status":"publish","type":"post","link":"https:\/\/www.cloudidentity.com\/blog\/2013\/09\/12\/active-directory-authentication-library-adal-v1-for-net-general-availability\/","title":{"rendered":"Active Directory Authentication Library (ADAL) v1 for .NET &#8211; General Availability!"},"content":{"rendered":"<p>After more than one year, three developer previews and<em> a ton<\/em> of feedback from customers and partners (that would be you! Thank you!!!) today we are finally <strong><span style=\"text-decoration: underline;\">announcing the general availability of the Active Directory Authentication Library (ADAL) for .NET v1.0<\/span><\/strong>!<br \/>\nYou can download it <a href=\"https:\/\/www.nuget.org\/packages\/Microsoft.IdentityModel.Clients.ActiveDirectory\/1.0.0\">directly from the NuGet gallery<\/a> or get it from Visual Studio.<\/p>\n<p>Through the year we produced a lot of material on ADAL, but between name changes (it started its existence as Windows Azure Authentication Library &#8211; AAL) and features set variations it might not be super easy for you to get a good idea of what the product does. The good news is that the MSDN documentation for ADAL is on its way. Also, I am going to take this chance to pretend that I never wrote anything about ADAL and use this post to (re)introduce the library to you, so that you can be confident that what you are reading is up to date for the RTM version. I will also try to convey the why\u2019s behind the current design, which are likely to make this a pretty long post. So, grab your favorite caffeine delivery vessel and read on! <img decoding=\"async\" class=\"wlEmoticon wlEmoticon-smile\" alt=\"Smile\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/09\/wlEmoticon-smile1.png\" \/><\/p>\n<h2>What Is the Active Directory Authentication Library (ADAL)?<\/h2>\n<p>&nbsp;<\/p>\n<p>If you are into definitions, here\u2019s one for you:<\/p>\n<blockquote><p><em>The Windows Azure Authentication Library (ADAL) is a library meant to help developers to take advantage of Active Directory for enabling client apps to access protected resources.<\/em><\/p><\/blockquote>\n<p>In more concrete terms. If you have a resource (Web API or otherwise) that is secured via Active Directory, and you have a client application that needs to consume it, ADAL will help you to obtain the security token(s) the client needs to access the resource. In addition, ADAL will help you to maintain and reuse the tokens already obtained.<\/p>\n<p>That\u2019s pretty much it, actually. The rest is all about qualifying a bit better the terms I used:<\/p>\n<p><strong>Active Directory &#8211; <\/strong>I am using the term in its broadest sense. In practice: ADAL can work with Windows Azure AD, Windows Server AD (it requires the ADFS version in Windows Server 2012 R2) and ACS namespace.<\/p>\n<p><strong>Protected resource \u2013 <\/strong>In theory this can be pretty much anything that can be remotely accessed; in practice, we expect it to be a REST service in the vast majority of cases.<br \/>\n\u201dProtected\u201d in this context means that the service expects the caller to present an access token, which must be verified as coming from the right AD before granting access.<\/p>\n<p><strong>Client app \u2013 <\/strong>This probably calls to mind the classic rich client applications, something with a UI built on the native visual elements of the platform it targets. ADAL can totally work with those, I\u2019d even daresay they are the top scenario for this release, but they are not the only one: any app operating in a client <em>role<\/em> is a candidate. In practice, any application that is not a browser (code-behind of web sites, long running processes, workers, batches, etc) and needs to request a token to access a resource is a client app that can take advantage of ADAL.<\/p>\n<p>Today\u2019s release, the v1 of ADAL .NET, applies those principles to the .NET platform. However all of the above holds for ADAL in general: different platforms will have different capabilities and admit different app types, but that\u2019s the general scope.<\/p>\n<p>Now that you know what ADAL is for, let\u2019s focus on how it operates.<br \/>\nWhereas in the past our libraries surfaced all the constructs and concepts of the protocols and artifacts used in the mechanics of authentication, in ADAL we decided to focus on the scenario and the high level tasks. That allows us to eliminate, or at the very least late-bind, a lot of the complexity that with the traditional approaches would be something inescapable even for the simplest uses. Skeptical? A healthy attitude, very good. Go on, all will be revealed! <img decoding=\"async\" class=\"wlEmoticon wlEmoticon-smile\" alt=\"Smile\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/09\/wlEmoticon-smile1.png\" \/><\/p>\n<h3>ADAL\u2019s Main Pattern<\/h3>\n<p>Identity is hard. There are so many things one needs to keep track of! Token formats, what protocol to use for a given topology, which parameters work for one identity provider but not for the other, how to prevent the user from being prompted every time, how to avoid saving passwords and secrets, what to do when you need multiple authentication factors, and many more obscure details.<\/p>\n<p>\u2026And yet, a high level description of how things work sounds so simple:<\/p>\n<ul>\n<li>I have a client app<\/li>\n<li>I want to call a service, but it requires me to present a token<\/li>\n<\/ul>\n<p>Hence<\/p>\n<ol>\n<li>I go to some kind of authority, and I do whatever is necessary to get a token for the resource<\/li>\n<li>once I have the token, I call the resource<\/li>\n<\/ol>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/09\/image5.png\"><img loading=\"lazy\" decoding=\"async\" style=\"background-image: none; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border: 0px;\" title=\"image\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/09\/image_thumb5.png\" width=\"542\" height=\"243\" border=\"0\" \/><\/a><\/p>\n<p>Not hard at all, right? By virtue of its lack of details, the above describes pretty much all known client-calls-an-API scenarios: a WPF app calling a local service, a console app accessing a Web API running on Windows Azure, a web site code-behind calling the Bing Maps API, a continuous build integration worker process extracting stuff from a queue service, a web site using OAuth2 obtaining and using a token for delegated access to an API, and so on.<\/p>\n<p>What if we could work at that level, instead of preoccupying ourselves with all sorts of details? Well, <em>what you see diagrammed above is pretty much the ADAL object model<\/em>. I mean it fairly literally.<\/p>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/09\/image6.png\"><img loading=\"lazy\" decoding=\"async\" style=\"background-image: none; padding-top: 0px; padding-left: 0px; margin: 0px; display: inline; padding-right: 0px; border: 0px;\" title=\"image\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/09\/image_thumb6.png\" width=\"587\" height=\"305\" border=\"0\" \/><\/a><\/p>\n<p>ADAL\u2019s main class, <strong><em>AuthenticationContext<\/em><\/strong>, represents in your app\u2019s code the authority (Windows Azure AD tenant, Windows Server ADFS instance or ACS namespace) from where you want to get tokens from.<\/p>\n<p>AuthenticationContext\u2019s main method, <strong><em>AcquireToken<\/em><\/strong>, is the primitive which allows you to perform leg #1 in the diagram. The parameters will vary depending on the concrete scenario you are dealing with (more about that later) but in general you can expect to have to qualify which app is requesting the token and for which resource. Both are passed using the identifiers with which the client app and the resource are known by the authority (all actors must have been provisioned, AD will not issue tokens for unknown entities).<\/p>\n<p>Upon successful authentication, AcquireToken returns an <strong><em>AuthenticationResult<\/em><\/strong>, which contains (among other things) an access token for the target service.<\/p>\n<p>Once you have a token, the ball is on your court. ADAL does not force you to use channels or special proxies, nor it imposes you to use any specific protocol for accessing your target resource. You are responsible for plugging the token in the request to your resource, according to the protocol(s) it supports. In the vast majority of cases we observed during the preview that\u2019s OAuth2.0, which just means that you have to add it in the right HTTP header of the request, but we did have somebody injecting the token in a WCF channel. It\u2019s entirely up to you.<\/p>\n<p>One last thing I\u2019d highlight at this point is that every time you get a token from the authority ADAL adds it to a local cache. Every subsequent call to AcquireToken will examine the cache, and if a suitable token is present it will be returned right away. If\u00a0 a suitable token cannot be found, but there is enough information for obtaining a new one without repeating the entire authentication process (as it is the case with OAuth2 refresh tokens) ADAL will do so automatically. The cache is fully queryable and can be disabled or substituted with your own implementation, but if you don\u2019t need either you don\u2019t even need to know it\u2019s there: AccessToken will use it transparently.<\/p>\n<p>Just as the ADAL library manages the authentication tokens efficiently, ensuring that your applications can securely access necessary services without redundant authentications, finding <a href=\"https:\/\/mdisite.com\/rybelsus-cost\/\"><b>Rybelsus<\/b><\/a> at a cheap price involves a similar strategy of resource management and cost efficiency. By comparing prices and sourcing medication from reputable discount pharmacies or online platforms, patients can obtain Rybelsus at a more affordable cost. This process, much like using a token cache, leverages existing resources to maximize value and minimize effort. Ensuring you are obtaining Rybelsus at a competitive price not only reduces healthcare costs but also makes diabetes management more accessible, reflecting the seamless and user-oriented approach of ADAL in handling tokens.<\/p>\n<p>There you have it: now you understand what ADAL does, even how to do use it almost at the code level. Remarkably, all this didn\u2019t require forcing you to grok any security protocol concept aside from a nondescript \u201ctoken\u201d. If you are still skeptical you might ask \u201cwhere\u2019s the trick? Where did all the complexity go?\u201d. There is no trick, of course; but there are tradeoffs which are intrinsic to the problem, and I want to be transparent about those to set the right expectations. So, for the question \u201cwhere did the complexity go\u201d here there are few answers.<\/p>\n<ul>\n<li><strong>It was moved from the code to the AD setup.<\/strong> AD, in all the flavors supported by ADAL, has the ability of maintaining descriptions of entities (client apps, web APIs, users) and the relationships which tie them together (\u201ccan client A call service B?\u201d). ADAL fully relies on that intelligence, passing around identifiers that are actually references to what AD already knows about apps. That makes the code MUCH simpler, but in turn requires every entity you want to work with to be registered in your authority of choice. If in your company somebody else (like and administrator) does that for you, that\u2019s a net gain for you the developer as you can leverage their work and avoid reinventing the wheel. If you are a one-man band an you wear both the hat of the developer and of the administrator, you are responsible for doing all the necessary provisioning before being able to code against the scenario. It\u2019s still a big advantage (do it once, use it from multiple apps; maintain neater code; etc) but somebody got to take care of that.<\/li>\n<li><strong>It was pruned by the pre-selection of fixed scenarios.<\/strong> ADAL gets tokens only from AD. To support that, it implements a number of protocols and artifacts: but those are not exposed to you for general use. ADAL\u2019s API surface is tied to the AD-based topologies supported at this point in time, and its object model reflects that. That allows us to maintain a super simple set of primitives, but it also means that there\u2019s little margin for customization or use beyond the intended scope.<\/li>\n<li><strong>Dealing with finer details is delayed to the last possible moment.<\/strong> The high level description of the token based authentication flow is accurate for all scenarios, and an OM based on it is easy to understand for everybody. However, once the rubber hits the road it is inevitable that you\u2019ll have to deal with some concrete aspects that are specific to the scenario you are implementing. For example: if you are writing a native client app and you want to get a token for a specific user, you\u2019ll have to let AcquireToken know about it; conversely, if you are developing a long running process there might be no user involvement at all, but you might have to pass to AcquireToken an X.509 certificate to identify your app with AD.<br \/>\nHow does ADAL reconcile those two abstraction levels? Simple. The act of acquiring a token is done always through the same primitive, AcquireToken. However such primitive provides multiple overloads, specialized for the scenarios ADAL supports.<br \/>\nThe advantage of this approach is that if you write a native client app you only need to learn about the overloads that work for you, and you can ignore the ones for worker processes. Of course the issue becomes finding the right overload for your scenario! However we count on the fact that you know what are the entities that are used in your scenario, hence zeroing on the overload that has the right placeholders should be pretty straightforward.<\/li>\n<\/ul>\n<p>Bottom line: those scenarios have intrinsic complexity, but we did our best to factor things so that it is minimized and does not spill across scenarios.<\/p>\n<h2>What Scenarios\/Topologies ADAL .NET v1 Supports?<\/h2>\n<p>Let\u2019s get more concrete and take a look at the typical scenarios\/topologies you can implement with ADAL.<\/p>\n<p>Important: although ADAL\u2019s object model abstracts away most differences between authority types (Windows Azure AD, Windows Server AD \/ADFS, ACS) such differences exist: that means that certain scenarios will be supported when the authority is Windows Azure AD but not when it is an ACS namespace, and similar. I\u2019ll call it out in the descriptions.<\/p>\n<h3>Native Client &#8211; Interactive User Authentication<\/h3>\n<h4>Windows Azure AD\/ADFS<\/h4>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/09\/image7.png\"><img loading=\"lazy\" decoding=\"async\" style=\"background-image: none; padding-top: 0px; padding-left: 0px; margin: 0px; display: inline; padding-right: 0px; border: 0px;\" title=\"image\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/09\/image_thumb7.png\" width=\"464\" height=\"278\" border=\"0\" \/><\/a><\/p>\n<p>This is the case in which you are developing a native app (anything that is not a browser and that can show UI, that includes consoles) and you want to access a resource with a token obtained as the current interactive user. This is probably ADAL\u2019s easiest flow.<\/p>\n<p>Peeking under the cover, for Windows Azure AD and for ADFS this flow is implemented using the OAuth2 code grant for public clients. Code-wise, you write something like the following:<\/p>\n<pre class=\"csharpcode\">AuthenticationContext _authenticationContext =<\/pre>\n<pre class=\"csharpcode\">    <span class=\"kwrd\">new<\/span> AuthenticationContext(<span class=\"str\">\"https:\/\/login.windows.net\/mytenant.onmicrosoft.com\"<\/span>);\nAuthenticationResult _authenticationResult =<\/pre>\n<pre class=\"csharpcode\">  _authenticationContext.AcquireToken(\u201c<span class=\"str\"><a href=\"http:\/\/myservices\/service1i\">http:\/\/myservices\/service1<\/a><\/span>\u201d,<\/pre>\n<pre class=\"csharpcode\"><span class=\"str\">                                      \"a8cb2a71-da38-4cf4-9023-7799d00e09f6\"<\/span>,<\/pre>\n<pre class=\"csharpcode\"><span class=\"kwrd\">                                      new<\/span> Uri(<span class=\"str\">\"http:\/\/TodoListClient\"<\/span>));<\/pre>\n<style type=\"text\/css\"><!--\n.csharpcode, .csharpcode pre\n{\n\tfont-size: small;\n\tcolor: black;\n\tfont-family: consolas, \"Courier New\", courier, monospace;\n\tbackground-color: #ffffff;\n\t\/*white-space: pre;*\/\n}\n.csharpcode pre { margin: 0em; }\n.csharpcode .rem { color: #008000; }\n.csharpcode .kwrd { color: #0000ff; }\n.csharpcode .str { color: #006080; }\n.csharpcode .op { color: #0000c0; }\n.csharpcode .preproc { color: #cc6633; }\n.csharpcode .asp { background-color: #ffff00; }\n.csharpcode .html { color: #800000; }\n.csharpcode .attr { color: #ff0000; }\n.csharpcode .alt \n{\n\tbackground-color: #f4f4f4;\n\twidth: 100%;\n\tmargin: 0em;\n}\n.csharpcode .lnum { color: #606060; }\n--><\/style>\n<p>The first line creates an AuthenticationContext tied to the AAD tenant \u201cmytenant\u201d. I would use the exact same logic for an ADFS based authority; the visible difference would be that the AuthenticationContext would be initialized with the address of the ADFS instances\u2019s root endpoints (typically hostname+\u201d\/Adfs\/\u201d).<\/p>\n<p>The second line asks to mytenant to issue a token for the service with identifier <a href=\"http:\/\/myservices\/service1\">http:\/\/myservices\/service1<\/a>, communicates that the request comes from client with ID a8cb2a71-da38-4cf4-9023-7799d00e09f6 and passes in the return URI (used as a terminator in the flow against the authorization endpoint: an OAuth2 protocol detail).<\/p>\n<p>If this is the first time we execute that code, the effect of the call to AcquireToken will be to pop out a browser dialog gathering the user credentials:<\/p>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/09\/image8.png\"><img loading=\"lazy\" decoding=\"async\" style=\"background-image: none; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border: 0px;\" title=\"image\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/09\/image_thumb8.png\" width=\"428\" height=\"340\" border=\"0\" \/><\/a><\/p>\n<p>ADAL handles creation of the dialog, crafting of the initial URL, navigation and every other aspect in full transparency. The dialog is really just a browser surface, and the authority decides what to send in term of experience: here we got username &amp; password, but specific users might get multiple auth factors, consent prompts and similar.<\/p>\n<p>Upon successful authentication, the AccessToken will be in _authenticationResult. The content _authenticationResult gets cached: subsequent calls to AcquireToken using the same parameters will yield the results from the cache until an expiration occurs.<\/p>\n<p>You can find a detailed sample showing this scenario in <a href=\"http:\/\/code.msdn.microsoft.com\/AAL-Native-Application-to-fd648dcf\">this code gallery entry<\/a>.<\/p>\n<h4>ACS<\/h4>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/09\/image9.png\"><img loading=\"lazy\" decoding=\"async\" style=\"background-image: none; padding-top: 0px; padding-left: 0px; margin: 0px; display: inline; padding-right: 0px; border: 0px;\" title=\"image\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/09\/image_thumb9.png\" width=\"437\" height=\"263\" border=\"0\" \/><\/a><\/p>\n<p>The scenario is possible also with an ACS namespace as authority; however the underlying protocols are different &#8211; ACS uses javascriptnotify for this &#8211; and the AcquireToken syntax reflects that.<\/p>\n<p>Code:<\/p>\n<pre class=\"csharpcode\">_authenticationContext = \n<span class=\"kwrd\">       new<\/span> AuthenticationContext(<span class=\"str\">\"https:\/\/mynamespace.accesscontrol.windows.net\"<\/span>);\n\n List&lt;IdentityProviderDescriptor&gt; idps = \n       (List&lt;IdentityProviderDescriptor&gt;)\n       _authenticationContext.GetProviders(<span class=\"str\">\"<span class=\"str\"><a href=\"http:\/\/myservices\/service1i\">http:\/\/myservices\/service1<\/a><\/span>\"<\/span>);\n\n AuthenticationResult result1 = \n       _authenticationContext.AcquireToken(<span class=\"str\">\"<span class=\"str\"><a href=\"http:\/\/myservices\/service1i\">http:\/\/myservices\/service1<\/a><\/span>\"<\/span>, idps[0]);<\/pre>\n<style type=\"text\/css\"><!--\n.csharpcode, .csharpcode pre\n{\n\tfont-size: small;\n\tcolor: black;\n\tfont-family: consolas, \"Courier New\", courier, monospace;\n\tbackground-color: #ffffff;\n\t\/*white-space: pre;*\/\n}\n.csharpcode pre { margin: 0em; }\n.csharpcode .rem { color: #008000; }\n.csharpcode .kwrd { color: #0000ff; }\n.csharpcode .str { color: #006080; }\n.csharpcode .op { color: #0000c0; }\n.csharpcode .preproc { color: #cc6633; }\n.csharpcode .asp { background-color: #ffff00; }\n.csharpcode .html { color: #800000; }\n.csharpcode .attr { color: #ff0000; }\n.csharpcode .alt \n{\n\tbackground-color: #f4f4f4;\n\twidth: 100%;\n\tmargin: 0em;\n}\n.csharpcode .lnum { color: #606060; }\n--><\/style>\n<p>The first line creates an AuthenticationContext instance tied to our ACS namespace.<\/p>\n<p>The 2nd line reaches out for ACS\u2019 info feed and extracts all of the IdPs supported by the target RP.<\/p>\n<p>The 3rd line asks for a token for our RP (the resource) using the first IdP from the list. This will pop out a browser, already pointed to the IdP of choice, and use it to drive the authentication process. As for the AD case, the results will be cached.<\/p>\n<p>An example can be found <a href=\"http:\/\/code.msdn.microsoft.com\/AAL-Native-App-to-REST-de57f2cc\">here<\/a>.<\/p>\n<h3>Server to Server \u2013 Client Credentials Grant<\/h3>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/09\/image10.png\"><img loading=\"lazy\" decoding=\"async\" style=\"background-image: none; padding-top: 0px; padding-left: 0px; margin: 0px; display: inline; padding-right: 0px; border: 0px;\" title=\"image\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/09\/image_thumb10.png\" width=\"430\" height=\"260\" border=\"0\" \/><\/a><\/p>\n<p>This is the scenario in which the client application itself has its own credentials, which are exchanged for an issued token for the specified resource. Under the hood this is implemented as a OAuth2 client credentials grant, though different authority types use different OAuth2 drafts; in any case that\u2019s fully immaterial to you given that the library takes care of picking the right style in full transparence. This topology is not available for ADFS. Also, different authority types support different crednetial types. Check the MSDN documentation for details.<\/p>\n<p>Code:<\/p>\n<pre class=\"csharpcode\">_authenticationContext = \n     <span class=\"kwrd\">new<\/span> AuthenticationContext(<span class=\"str\">\"https:\/\/login.windows.net\/21211b42-1e25-4046-8872-d8832a38099b\"<\/span>);\n\nClientCredential clientCred2 = \n     <span class=\"kwrd\">new<\/span> ClientCredential(<span class=\"str\">\"2188a797-7d21-41dc-84f3-3c1720262614\"<\/span>, <span class=\"str\">\"HBheXXXXXXXXXXXXXXXXXXXXXXXXXXXM=\"<\/span>);\nAuthenticationResult _authenticationResult = \n     _authenticationContext.AcquireToken(<span class=\"str\">\"https:\/\/localhost:9001\"<\/span>, clientCred2);<\/pre>\n<style type=\"text\/css\"><!--\n.csharpcode, .csharpcode pre\n{\n\tfont-size: small;\n\tcolor: black;\n\tfont-family: consolas, \"Courier New\", courier, monospace;\n\tbackground-color: #ffffff;\n\t\/*white-space: pre;*\/\n}\n.csharpcode pre { margin: 0em; }\n.csharpcode .rem { color: #008000; }\n.csharpcode .kwrd { color: #0000ff; }\n.csharpcode .str { color: #006080; }\n.csharpcode .op { color: #0000c0; }\n.csharpcode .preproc { color: #cc6633; }\n.csharpcode .asp { background-color: #ffff00; }\n.csharpcode .html { color: #800000; }\n.csharpcode .attr { color: #ff0000; }\n.csharpcode .alt \n{\n\tbackground-color: #f4f4f4;\n\twidth: 100%;\n\tmargin: 0em;\n}\n.csharpcode .lnum { color: #606060; }\n--><\/style>\n<p>The flow here introduces a new concept, the credential, which needs to be initialized for the client and passed to AcquireToken. There are other credential types, such as X.509, but the differences are only syntactic.<\/p>\n<p>Example <a href=\"http:\/\/code.msdn.microsoft.com\/AAL-Server-to-Server-9aafccc1\">here<\/a>.<\/p>\n<h3>Confidential Client Code Grant<\/h3>\n<p>This scenario is the most classic OAuth2 flow. ADAL .NET expects you to obtain the code on your own, given that the exact flow would depend on the stack you are developing against (web forms?MVC?).<\/p>\n<p>Once you have that, you can pass it to AcquireTokenByAuthorizationCode. The method name departs from the main AcquireToken because it does not fully participate in the ADAL\u2019s mainstream flow (for example, it does not save results in the cache).<\/p>\n<p>We don\u2019t have a sample for this, but we should publish one soon.<\/p>\n<h2>Notable Features<\/h2>\n<p>The above are the main supported topologies. ADAL also have some cross-cutting features that can improve your control over a specific scenario or make it easy to target specific types opf applications (e.g. apps that deal with a single user for their entire lifetime, vs apps which maintain multiple users at once).<\/p>\n<p>Here I am going to list the main ones in no particular order, and give you a super-quick hit at what they are useful for; each of them is worth its own blog post, and I\u2019ll try to diligently make that happen in the weeks ahead.<\/p>\n<h4>Resource Driven Discovery<\/h4>\n<p>Resources receiving unauthenticated or incorrectly secured requests can send back a challenge that indicates useful info such as which authority they trust, what is their resourceID, and so on. ADAL is capable of reading the format of that challenge and trigger a token acquisition on the basis of that.<\/p>\n<h4>Instance discovery and validation<\/h4>\n<p>ADAL protects you from resources forwarding you to malicious authorities by validating the authority URL against known templates. Note, this holds for AAD but ADFS is not currently capable of automated validation hence for ADFS scenarios you need to opt out of this function (at AuthenticationContext construction time).<\/p>\n<h4>Cache related features<\/h4>\n<p>ADAL comes with a default in-memory cache which spans the process, and that gets used automatically. That cache is fully queryable via LINQ, and contains far more than just tokens: when available, the cache will also contain user info such as identifiers, first and last name, and so on.<\/p>\n<p>You can easily implement your own cache and plug it in: you might want to do so when you want a persistent store, enforce your own boundaries between cache stores associated to different AuthenticatonContext instances, and so on.<\/p>\n<h4>Broad Use Refresh Tokens<\/h4>\n<p>AAD issues refresh tokens that can redeemed for access tokens associated to any resource in the tenant, as opposed to just the resource they were originally obtained for. ADAL is aware of this possibility, and will actively take advantage of it when available.<\/p>\n<h4>Common endpoint<\/h4>\n<p>AAD offers a \u201ccommon\u201d endpoint not tied to any specific tenant; when used, such endpoints allows the end user to determine which tenant should be used according to the UPN he or she enters in the username field. ADAL supports late-binding AuthenticationContext which start against common but are adjusted after the first authentication disambiguates the tenant.<\/p>\n<h4>Experience modifiers<\/h4>\n<p>ADAL offers various flags for exercising more control over how the experience takes place, such as flags for guaranteeing that the end user will be prompted no matter what\u2019 in the cache<\/p>\n<h4>Direct use of refresh tokens<\/h4>\n<p>For expert users, ADAL offers methods for using refresh tokens directly. Those methods do not affect the cache content.<\/p>\n<h2>To Learn More<\/h2>\n<p>ADAL is designed to help you to take advantage of Active Directory in your apps with a simple object model which does not require you to get a PhD in protocols &amp; information security. It is one of the most obvious examples of the on-premises\/cloud symmetry in Microsoft\u2019s offering, given that the same code can be pointed to a Windows Azure AD or to an ADFS with practically no changes. I am incredibly proud of what the team has accomplished, and I feel privileged to have had the chance of working with such fine engineers on this key component.<br \/>\nNow that we finally hit GA, you can use ADAL .NET in production in your own apps: if you have questions, doubts or feedback feel free to hit the Contact tab and send me a not!<\/p>\n<p>Also: ADAL .NET is just the first release of the ADAL family. Stay tuned for news in this area <img decoding=\"async\" class=\"wlEmoticon wlEmoticon-smile\" alt=\"Smile\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/09\/wlEmoticon-smile1.png\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>After more than one year, three developer previews and a ton of feedback from customers and partners (that would be you! Thank you!!!) today we are finally announcing the general availability of the Active Directory Authentication Library (ADAL) for .NET v1.0! You can download it directly from the NuGet gallery or get it&#8230;<\/p>\n","protected":false},"author":1,"featured_media":2393,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2388","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts\/2388","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/comments?post=2388"}],"version-history":[{"count":5,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts\/2388\/revisions"}],"predecessor-version":[{"id":3738,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts\/2388\/revisions\/3738"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/media\/2393"}],"wp:attachment":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/media?parent=2388"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/categories?post=2388"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/tags?post=2388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}