1

I am developing a multi-tenant application registered on my Azure AD that consumes Office 365 apis, Graph API etc.

I followed this Microsoft sample to build my work which uses ADAL .NET library and OpenIdConnect: Microsoft.IdentityModel.Clients.ActiveDirectory, Version=2.19.0.0

In ADAL.NET, we use an AuthenticationContext instance with a custom inherited class for the TokenCache (see code the sample code here).

For each request to the authorized resources, depending on the API, we invoke one of these methods (see code below) to get the auth_token that will be put in the request Bearer parameter. Is it the correct way to do it?

We never make use of the method AcquireTokenByRefreshTokenAsync, does it mean that our application never uses the refresh_token? Does it mean that our user will have to relog after one hour? Should we implement a kind of refreshing procedure with AcquireTokenByRefreshTokenAsync in the catch statement? Can it be made without prompting anything to the end-user?

REMARK: I posted a question regarding OpenIdConnect authentication ticket lifetime. To me these two questions are unrelated but they may be.

string signInUserId = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
string userObjectId = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
string tenantId = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;


public async Task<string> AcquireOutlook365TokenAsync()
{
     AuthenticationContext authContext = new AuthenticationContext(string.Format("{0}/{1}", SettingsHelper.AuthorizationUri, tenantId), new ADALTokenCache(signInUserId));
     try
     {
         var result = await authContext.AcquireTokenSilentAsync(@"https://outlook.office365.com/",
             new ClientCredential(SettingsHelper.ClientId, SettingsHelper.AppKey),
             new UserIdentifier(userObjectId, UserIdentifierType.UniqueId));
         return result.AccessToken;
     }
     catch (AdalException exception)
     {
         //handle token acquisition failure
         if (exception.ErrorCode == AdalError.FailedToAcquireTokenSilently)
         {
             authContext.TokenCache.Clear();
         }
         throw new HttpResponseException(new HttpResponseMessage(HttpStatusCode.Unauthorized));
     }
 }

 public async Task<string> AcquireAzureGraphTokenAsync()
 {
     AuthenticationContext authContext = new AuthenticationContext(string.Format("{0}/{1}", SettingsHelper.AuthorizationUri, tenantId), new ADALTokenCache(signInUserId));
     try
     {
         var result = await authContext.AcquireTokenSilentAsync(@"https://graph.windows.net/",
             new ClientCredential(SettingsHelper.ClientId, SettingsHelper.AppKey),
             new UserIdentifier(userObjectId, UserIdentifierType.UniqueId));
         return result.AccessToken;
     }
     catch (AdalException exception)
     { 
      //Same as other method
     }
 }
Community
  • 1
  • 1
Benoit Patra
  • 4,355
  • 5
  • 30
  • 53

1 Answers1

4

ADAL uses the stored refresh tokens automatically and transparently, you aren't required to perform any explicit action. AcquireTOkenByRefreshToken is in the ADAL surface for legacy reasons, and has been removed from version 3.x. More background at http://www.cloudidentity.com/blog/2015/08/13/adal-3-didnt-return-refresh-tokens-for-5-months-and-nobody-noticed/

vibronet
  • 7,364
  • 2
  • 19
  • 21