Azure-Samples / ms-identity-java-desktop

A desktop application in Java calling Microsoft Graph API
MIT License
22 stars 24 forks source link

redirect URI #21

Open ghost opened 2 years ago

ghost commented 2 years ago

how to check redirect URI in Username-Password flow?

Avery-Dunn commented 2 years ago

Hello @makushima : This sample is meant to demonstrate the calling pattern for the username/password flow, and doesn't need a redirect URI to retrieve tokens.

However, while username/password flow is supported it isn't recommended for applications accessed by normal users (it's more meant for simple back-end/devops scenarios). Depending on your scenario, I'd recommend checking out some other samples:

ghost commented 2 years ago

Hello, Avery-Dunn! We have third party Java app based on ADAL without source code. And as I understand it uses username password flow. But it also requires in app configuration Custom Redirect URI in format myapp://oauth. More details here https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uris-native-apps/. I am not sure why they use this URI but it will be nice to have example/sample for backward compability

Avery-Dunn commented 2 years ago

@makushima Perhaps the redirect URI is being used as the authority in the client app? They are often the same or pretty similar, so the terminology is often used interchangeably.

In the sample, the section where the client app is created is where the authority/redirect URI is used:

PublicClientApplication pca = PublicClientApplication.builder(clientId)
                .authority(authority)  //<--- right here
                .build();

This value is configured in the applications.properties file with the AUTHORITY field. Normally username/password flow works just with the basic https://login.microsoftonline.com/organizations/ we have in there already, but if your ADAL app was using a redirect URI in the username/password flow then that might be the equivalent in MSAL.

ghost commented 2 years ago

@Avery-Dunn No. I don't think that it is Authority. The authority is URL to Authentication Authority. And redirect URI is as the article says: _Native applications are clients installed on a device, such as a desktop application or native mobile application. There are a few things to keep in mind when supporting native apps related to security and user experience.

The authorization endpoint normally redirects the user back to the client’s registered redirect URL. Depending on the platform, native apps can either claim a URL pattern, or register a custom URL scheme that will launch the application. For example, an iOS application may register a custom protocol such as myapp:// and then use a redirecturi of myapp://callback.

So old java ADAL app has redirect URI: vendorcorp://applicationname. If I change URI on Azure side, ADAL app gives error message and doesn't work. How can I check in sample this redirect URI?

Avery-Dunn commented 2 years ago

Since you mentioned that you had your app "without source code", are you sure that app was using the username/password flow (ROPC)?

I'm not as familiar with ADAL Java but just looking at where it builds the acquire token call for the username/password flow it doesn't seem like a redirect URI is used, nor can you send it as a parameter in MSAL Java's username/password flow.

Maybe the old app was actually using the authorization code flow? Unlike the username/password flow where user credentials are either hardcoded or retrieved from users through your own login page, the auth code flow is meant for web applications which redirects users to another place to enter their credentials (for example https://login.microsoftonline.com/).

Have a look at our web app sample and see if it better matches what the app that used ADAL did. In that sample, here is where it builds a redirect URI, and here is where it uses that redirect URI to get an auth code (that is later used to get the access token).

The only other place I can think of where a redirect URI would be used is an interactive request where MSAL opens the operating system's default browser, however I don't think there was an ADAL equivalent for that auth flow and it's a pretty niche option so I'd be surprised if the old ADAL app was using it.

ghost commented 2 years ago

Yes, we know that vendor used Android SDK with ADAL ROPC. Also it is not webapp and redirect URL is not http://something. Redirect URL has structure microsoft://outlook format (see article for native app). The app authenticates non interactively, like service on Windows.

Avery-Dunn commented 2 years ago

Oh, if the app was on Android was it using ADAL for Android rather than ADAL for Java? If so and you're still making apps for Android then you'll probably want MSAL Android, but if it was using ADAL Android and you want to migrate to MSAL Java then there might not be direct translation for how redirect URIs were used.