I am trying to handle authentication for my app which uses Microsoft Graph.
What is the difference between these two libraries?
Active Directory Authentication Library for JavaScript (ADAL.js)
Microsoft Authentication Library for JavaScript (MSAL.js)
Is ADAL.js just an Angular 1 library of MSAL.js?
MSAL.js works with the AzureAD V2 endpoint, whereas ADAL.js works with the AzureAD V1 endpoint. The V1 endpoint supports work accounts, but not personal accounts. The V2.0 endpoint is the unification of Microsoft personal accounts and work accounts into a single authentication system. Finally, with msal.js you can also get authentications for Azure AD B2C.
Related
I have created a Web API using .net core 5. I have secured the app using the Microsoft Identity platform. Clients app are able to get to the resource based on their scope/role. So I know that my api is secure.
Now, I need to add the API to Azure API Management tool.
So my question is should I enable OAuth from the Azure API Management to secure my web api even though my app is already secured?. What would be the reason that I enable OAuth from API management?
APIM is a proxy to the backend APIs and implementing security mechanisms to give an extra layer of security to prevent unauthorized access to APIs is a recommended practice.
Configuring OAuth 2.0 Server in APIM merely enables the Developer Portal’s test console as APIM’s client to acquire a token from Azure Active Directory. In the real world, customer will have a different client app that will need to be configured in AAD to get a valid OAuth token that APIM can validate.
OAuth is an authorization framework which allows a recognized client to acquire an access token from an authorization server.
As given in this Microsoft Doc, the Microsoft Identity Platform uses the OAuth 2.0 protocol for handling authorization.
Please find below references makes you how OAuth secures the Web APIs/Services:
OAuth 2.0 and Azure API Management
How does OAuth secure Rest API calls
Protect APIs using OAuth 2.0 in APIM
Is it possible to use a generic OAuth 2.0 implementation for both Azure AD authentication and Google cloud OAuth?
msal.js is available for Microsoft Azure AD integration. Is there a common library that can be used to support both Azure AD authentication and Google authentication. Once both authentication providers are supported, user will be able to pick and choose a login. Is this possible?
We are developing the azure B2B Application to invite and access our Asp.net application that is hosted in the Azure. I checked the example https://github.com/Azure/active-directory-dotnet-graphapi-b2bportal-web which uses the ADAL for most of the operation. In the example from the above link, the MS Graph using an access token generated from the ADAL, but Microsoft recommends using the MSAL.
My question is Which one we have to use the for MS Graph in the ASP.net Application either ADAL or MSAL.
Both of them can help in handling Ms Graph, but MSAL provides multiple benefits over ADAL including incremental consent, richer single sign-on experiences, support for personal Microsoft accounts, use of standards-based protocols and so on.
Also, MSAL has good examples available for Ms Graph and easily implemented.
I agree with Hari above. Both MSAL/ADAL capable of working with MS Graph. But here's the key differences:
Active Directory Authentication Library (ADAL) integrates with the Azure AD for developers (v1.0) endpoint, where MSAL integrates with the Microsoft identity platform (v2.0) endpoint.
The v1.0 endpoint supports work accounts, but not personal accounts. The v2.0 endpoint is the unification of Microsoft personal accounts and work accounts into a single authentication system. With MSAL you can also get authentications for Azure AD B2C as well.
So MSAL enables developers to acquire tokens from the Microsoft identity platform endpoint in order to access secured web APIs. These web APIs can be the Microsoft Graph, other Microsoft APIs, third-party web APIs, or your own web API. MSAL is available for .NET, JavaScript, Android, and iOS, which support many different application architectures and platforms.
Hope this helps.
Which library do we have to use for integrating Azure AD in an iOS app - ADAL/MSAL ? Is MSAL an advanced version of ADAL with support for personal accounts also? Which one supports SAML 2.0 protocol ?
MSAL works with the AzureAD V2 endpoint, whereas ADAL works with the AzureAD V1 endpoint. You can find the difference here. Yes, MSAL allows personal accounts to sign in.
If you're migrating or updating an application that relies on SAML, you can't use Microsoft identity platform(MSAL). Instead, refer to the Azure AD v1.0 guide.
According to this documentation, the on-behalf-of flow is not supported in B2C:
Web API chains (On-Behalf-Of) is not supported by Azure AD B2C.
Many architectures include a web API that needs to call another downstream web API, both secured by Azure AD B2C. This scenario is common in native clients that have a web API back end, which in turn calls a Microsoft online service such as the Azure AD Graph API.
This chained web API scenario can be supported by using the OAuth 2.0 JWT Bearer Credential grant, otherwise known as the On-Behalf-Of flow. However, the On-Behalf-Of flow is not currently implemented in Azure AD B2C.
Can't I just pull out the JWT from the first Web API request and pass it along to the next Web API? I know technically, I can, but is there a reason I wouldn't want to?
This approach would only work if both Web API's are configured for the same B2C App. Maybe that is the difference. Is the documentation referring to 2 separate B2C apps maybe?
Reference: Access the JWT bearer token when using the JWT middleware in ASP.NET Core
The OAuth 2.0 On-Behalf-Of flow is related to a first resource, "https://resourceserver1", receiving an access token from a client; then exchanging this access token for another access token for access by the delegated identity to a second resource, "https://resourceserver2" without any user interaction; and then sending that access token to the second resource.
This Azure AD documentation explains the On-Behalf-Of flow.
Given this, two different applications are necessary for two different resources, which in turn can require two different scopes.
You can vote for this feature at B2C Support for on-behalf-of flow.