Device flow in MSAL

[ashikns]

The documentation specifies device flow is not yet supported in MSAL. I was wondering anyone has looked into it though. Whether there's any branch or fork that adds complete or incomplete support for this.

This MSDN post is where I got the idea from.

[henrik-me]

The AAD v2 end-point does not yet support this flow. We support this in ADAL which works against the v1 end-point. As soon as AAD is ready we will be working on enabling this flow.

[jmprieur]

See also the summary of grants supported in public client applications in Differences between ADAL.NET and MSAL.NET applications

[ashikns]

I see. Is there anyway to support AAD v2 endpoint in a HoloLens D3D(not Xaml) app then? Or any way to support personal microsoft accounts in AAD v1 endpoint?

[jmprieur]

no @ashikns : the V1 endpoint does not support personal accounts. See Choosing between ADAL.NET (Azure AD V1) and MSAL.NET (Azure AD V2)

Device code flow will be coming to the V2 endpoint later this year.

[reneschulte]

Thanks for the info. Device Flow is coming later this year. Any ETA? Seems like a critical feature to me.

What other ways could we go iin the mean time to get a HoloLens with a D3D app working (no WebView)?

[henrik-me]

There are currently no other options available. The Identity team are working on enabling this scenario as soon as possible.

[abhidnya13]

The only way to get a HoloLens with a D3D app working is to use device code flow in ADAL which supports the v1 endpoint. So, for now, only work or school accounts can be used. As @henrik-me mentioned, we will be working on enabling this flow for personal accounts as soon as AAD v2 endpoint starts supporting it.

[ivannp]

Isn't the situation similar for application accessing OneDrive? I.e. is there an alternative to the interactive flow which is supported only on Windows?

[jmprieur]

@ivannp : do you need to sign-in users with their Microsoft Personal accounts (MSA) for now? (and therefore use ADAL.NET rather than MSAL.NET for the moment?) All the ways to acquire tokens with msal are described here: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Acquiring-Tokens

[ivannp]

@jmprieur : I need something working across platforms (.net core - command line), ideally for all account types. Until the issue with the interactive login on Linux is addressed (it doesn't fire a browser, instead does windows specific code), a working device code seems to be the only viable solution.

[jmprieur]

Thanks @ivannp It's definitively on our plans to add Device code flow in MSAL.NET. We'll do it as soon as Azure AD supports it. For interactive login on Linux, this is really .NET Core not providing a web browser. I don't think that this is in the plans for the moment.?

[ivannp]

@jmprieur : excited to hear device code support is coming to MSAL.NET! As for Linux, it may make sense to reconsider the way the browser login is done - there is no reason why the application cannot simple fire up a regular browser, which works on all platforms.

[henrik-me]

@ivannp there is no integration to browsers i .net core. thus we have to build that integration ourselves based on platform. If you have any suggestions on how we should go about that pls. let us know. A PR would be great. (consider that we need to hook up to the browser and get the data out from the response from Azure AD).

[jmprieur]

@ivannp : yes this is possible to run a browser, but the experience of adding a tab to an existing browsing session, and then ask the user to close the browser (which BTW closes all the tabs if the user does not pay attention and does not translate this into "close this tab") is not very good. But I guess it's better than nothing as today. Thanks for the feedback

[dwhiteddsoft]

I see that you are hoping to have MSAL.NET support for Device flow but my question is does the consumer endpoint support device flow? I have tested AAD does. I cant seem to get the consumer side to work though

[henrik-me]

@dwhiteddsoft MSAL.NET doesn't support device code flow yet because the AADv2 end-point doesn't support it. If you use ADAL.NET which connects to AADv1, then you have device code flow. AADv2 will possibly be able to support Device Code flow for AAD accounts sooner than for MSA accounts.

[henrik-me]

This is no longer blocked and we have started the work on the Device Flow. CC: @MarkZuber