1

I am trying to authenticate users in my web application using Azure AD to store user records. For authenticating the user I am using ADAL4J API (https://github.com/AzureAD/azure-activedirectory-library-for-java). I am using the the AuthenticationContext.acquireToken() method to acquire the token for users. This is working for local users in my directory but not for guest users invited to the directory.

While authenticating guest users I am getting an error : "To sign into this application the account must be added to the directory" . However, I am sure the user has been successfully added to the directory as seen through the Azure Portal. Also, I have verified the same using the graph API where I can see the guest users in the user list in the directory.

So the question is how do I authenticate the guest user in my web application through code (not through redirecting to the Azure UI)?

EDIT : This the method to which I am passing the username and password of the user:

 private static AuthenticationResult getAccessTokenFromUserCredentials(
    String username, String password) throws Exception {
    AuthenticationContext context = null;
    AuthenticationResult result = null;
    ExecutorService service = null;
    try {
         service = Executors.newFixedThreadPool(1);
         context = new AuthenticationContext("https://login.windows.net/<tenant_name>", false, service);
         Future<AuthenticationResult> future = context.acquireToken(
            "https://graph.windows.net", CLIENT_ID, username, password,
            null);
         result = future.get();
     } catch(Exception e){
        e.printStackTrace();
     } finally {
         service.shutdown();
     }

     if (result == null) {
         throw new ServiceUnavailableException(
                 "authentication result was null");
     }
     return result;
 }
adarsh hegde
  • 1,353
  • 2
  • 21
  • 43
  • Can you share the details of the login URL you are constructing for the user? Are you using the 'common' endpoint or a tenant specific endpoint? How did you add the guest user? – Shawn Tabrizi Jan 30 '17 at 22:17
  • I added the guest user through the Azure UI, after which I received an invite through email for the user. Once I completed the instructions in the invite the user was added in my directory. I am using the 'common' endpoint. My code for authentication looks like this : context = new AuthenticationContext("https://login.windows.net/common", false, service); Future future = context.acquireToken( "https://graph.windows.net", CLIENT_ID, username, password, null); – adarsh hegde Jan 31 '17 at 04:22
  • In this code snippet, what is "service"... also you should be using the endpoint "login.microsoftonline.com". Also is there a specific reason you are passing in the username and password to acquire the token rather than following the [authorization code grant flow](https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code)? – Shawn Tabrizi Jan 31 '17 at 18:47
  • @ShawnTabrizi the "authorization code grant flow" explains how the Azure UI is used for user authentication in a interactive mode. My requirement needs me to use my app's login page for authentication where I authenticate the user credentials (username and password) using the ADAL4J api as explained here : https://github.com/Azure-Samples/active-directory-java-native-headless. – adarsh hegde Feb 01 '17 at 06:32
  • The "service" is an ExecutorService object which is used to define the thread pool. I tried pointing to "login.microsoftonline.com" but got the exact same error. – adarsh hegde Feb 01 '17 at 06:38

1 Answers1

1

With the information you provided, I feel like the issue here is related to the login endpoint. Remember that the common endpoint uses the logged in user to help 'guess' which tenant endpoint to authenticate to. If you are doing more tricky things like guest accounts, it is very likely the common endpoint will not figure out all the right details.

I recommend you specifically call your tenant's login endpoint, through the whole process, and see if that resolves your issues.

Let me know if this helps!

Shawn Tabrizi
  • 12,206
  • 1
  • 38
  • 69
  • Thanks Shawn but this didn't work for me. I tried with the tenant name instead of common and got the error message "To sign into this application the account must be added to the directory." In case of 'common' the error message says "To sign into this application the account must be added to the graph.windows.net directory". – adarsh hegde Jan 31 '17 at 07:56
  • an error message where it says "needs to be added to the graph.windows.net directory" does not make sense, and tells me there is some sort of error in your code. You will need to provide source code here to help you further – Shawn Tabrizi Feb 01 '17 at 07:47
  • this works in the case of guest users who have been invited from other Azure AD tenants but not in the case of guest users who are not present in any tenant (eg: a gmail account). – adarsh hegde Feb 08 '17 at 06:54
  • Guest users must have some sort of AAD Backing, or they are not users at all in our system. Random Gmail accounts cannot be used with AAD Authentication. It seems to me like you are looking for [B2C](https://azure.microsoft.com/en-us/services/active-directory-b2c/), which is our Consumer Identity System. – Shawn Tabrizi Feb 08 '17 at 08:44
  • Thanks Shawn but B2C involves user registration, I am using B2B because I want to control the users that will be using my application and I don't want the users to go through the registration. If you check this question (http://stackoverflow.com/questions/42095475/graph-api-requests-for-guest-users-in-azure-ad/42099425#42099425) I have posted, graph API requests for password related changes like reset password and change password are not working for users invited from another tenant. Is this because the other tenant stores their password and authenticates them? – adarsh hegde Feb 08 '17 at 14:16
  • Yes, you cannot change the password from a guest tenant. Only in your home directory. – Shawn Tabrizi Feb 08 '17 at 19:21