none
Silent End-User Authentication for Data Lake Store on the Azure AD authenticated Web Page

    Question

  • Hi,

    We have created a Web Application (ASP.Net MVC with C#) where in Azure AD authentication has been implemented using the OpenID connect over OAuth2.0 protocol. Further in this application we want to upload files to the Azure Data Lake store. As the end user already authenticates himself on Azure AD we don't want to authenticate him again when accessing the Data Lake Store. We do have the AccessToken and TokenCache objects available. But when we try to go use the existing tokenCache object to retrieve the ServiceCredential object it prompts user again with the login pop-up to enter the credential. Can we by-pass the pop-up and get the user authenticated with the TokenCache object that we already have from the application login. Any help is appreciated here. Thanks in Advance!

    creds = REST.Authentication.UserTokenProvider.LoginWithPromptAsync(domain, AD_client_settings, token_cache).Result;

    Tuesday, January 31, 2017 4:46 AM

All replies

  • Hi,

    Just making sure I understood your scenario correctly:

    1. You created a web application using AAD for authentication.
    2. User visits your web application using a browser
    3. Your application redirects user to AAD for authentication (using OpenID Connect)
    4. User authenticates and signs into your application.
    5. After sign in, your application needs to make requests to Azure Data Lake Store *as the user* that is currently signed in.

    Is this correct? If so, then yes, it should be possible to perform step (5) without user doing another sign-in.

    This Azure AD sample handles this exact scenario: https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect.

    As you can see in this sample, after AAD redirects user back to your app with an authentication code, the sample app redeems the code for a token via authContext.AcquireTokenByAuthorizationCodeAsync. This token (including a refresh token) is saved in the token cache. Any future requests to acquire a user token to call a down-stream API can be satisfied using the cached refresh token, without redirecting user to sign in again.

    The sample above did not make use of Microsoft.Rest.Azure.Authentication.UserTokenProvider, since it calls ADAL directly. If you are already doing everything else in the sample, but wish to use UserTokenProvider, can you try UserTokenProvider.CreateCredentialsFromCache?

    Thanks,

    Wenbin

    Monday, February 6, 2017 10:03 PM