Office 365 API Authentication with Azure AD - What I Learned

Monday, December 15, 2014 1:15 PM
Microsoft MVP Logo

… and I’m sharing to hopefully help you too!

This week I’m publishing a handful of blog posts that deal with Azure AD and authentication. Recently I did a lot of work around the Office 365 APIs which requite you obtain an access token from your Azure AD. Unfortunately, identity and authentication is not a simple concept or a simple thing to do in your custom development projects. For me, I get identity and the concept of authenticating using OAuth2, but the nuts and bolts… it gets complex pretty damn fast.

My fear, and I’ve shared this with Microsoft who really wants to simplify this story, is that the work you have to go through today is complex enough to potentially scare folks away before they even get to the Office 365 APIs.

Tomorrow Chris Johnson & I will publish episode #60 … that link won’t work until after December 16, 2014 at 10a (GMT -0500) which is an interview with Paul Schaeflein where we talked about this very subject. I would strongly recommend you listen to that interview when it’s publish as we covered a TON of stuff.

There are so many different technologies and terms that to the person who’s not living and breathing this stuff, it can get confusing. So what I’m doing this week is sharing some of those missing puzzle pieces that helped me get the whole scene working as one. Each person has their own take on this… so maybe my take, or takes, will help you.

The overall process is pretty damn simple: Send the user to the Azure AD login page and let Azure AD authenticate them When they successful login, they are sent back to your site with a code Take the code & submit it back to Azure AD to obtain an OAuth2 access token

That’s it! Once you get that access token, you include it in the header of every HTTP request you make to the Office 365 APIs to prove (1) you are who you say you are as a (1a) person and (1b) app and (2) you have rights to access the thing you are accessing.

But then it gets complicated. How do you do this? There are different endpoints to call to authenticate & obtain the access token. If you’re using .NET, you use this thing called the Azure AD Authentication Library (ADAL) to authenticate with Azure AD.

If you’re doing ASP.NET MVC, you then use this tech called OWIN which stands for the Open Web Interface for .NET. What’s this? It basically is a tech that fits into the plumbing pipeline of ASP.NET MVC to do the authentication… which is really where it should be.

Then there are technologies like OpenID Connect, OAuth2… I’ll be completely honest… going back a few months, I knew what this stuff was, but maybe not how everything fit together.

I found it quite hard to get all this stuff just right. I did write up a lab for some of the Microsoft Virtual Academy content around the Office 365 APIs that should help. Check this one out and take specific note of exercise 3 as I took the time to make sure there was a single exercise I could point people to for all the specific steps you need to perform to get this auth story right for an ASP.NET MVC app.

Ok… until tomorrow… more posts.

comments powered by Disqus