search

sreeise / graph-rs-sdk

Microsoft Graph API Client And Identity Platform Client in Rust
MIT License
111 stars 30 forks source link

Add interactive authentication for public clients #490

Closed kulst closed 1 month ago

kulst commented 1 month ago

Microsoft supports interactive authentication for public clients in their authentication libraries MSAL. See for example their Python library

As far as I can see graph-oauth currently does only support Device code flow and username and password authentication for public clients. Interactive authentication is only supported for confidential clients.

I suggest to also add Interactive authentication for public clients.

sreeise commented 1 month ago

Microsoft supports interactive authentication for public clients in their authentication libraries MSAL. See for example their Python library

As far as I can see graph-oauth currently does only support Device code flow and username and password authentication for public clients. Interactive authentication is only supported for confidential clients.

I suggest to also add Interactive authentication for public clients.

Interactive auth is supported for public clients. For device code a public client is the only option because its not considered a confidential flow. Example here: https://github.com/sreeise/graph-rs-sdk/blob/master/examples/interactive_auth/device_code.rs

Internal method that returns the public client: https://github.com/sreeise/graph-rs-sdk/blob/804467c7d34f38c850e6174ee3d5d3485ddebdaa/graph-oauth/src/identity/credentials/device_code_credential.rs#L632

For username/password auth, I don't believe this is possible unless your just referring to an admin consent dialog. From microsoft docs here: https://learn.microsoft.com/de-de/entra/msal/python/advanced/username-password-authentication#constraints it says:

The Username/Password authentication is not compatible with conditional access and multi-factor authentication, because this is not an interactive flow, the Microsoft identity platform does not have an opportunity to present a web-based dialog for the end user to interact. As a consequence, if your app runs in a Microsoft Entra tenant where the tenant admin requires multi-factor authentication (many organizations do that), this flow will not work.

Also, that python method is just an http call to the API just like we are already doing for username/password auth.

When we talk about interactive auth, I am specifically referring to a GUI being run such as webview here.

sreeise commented 1 month ago

@kulst Hopefully what I posted helps with this. But please reopen this ticket if you feel I havn't addressed the issue in the last comment or reply to my comment with more information. I don't mind if you reopen though. Its not a big deal.