11

I'm writing a simple C# mobile application which I've registered at https://apps.dev.microsoft.com/ to access live.com/outlook.com mailboxes (not outlook 365 mbx). I'm using ADAL for authenticating using the client id and redirect URI from the registration. I'm not sure if I should be generating a password from the registration site and how I should be using the generated password. What I'm experiencing is that I get the usual prompt to authenticate, I provide my credentials, I see a token being returned (RequestSecurityTokenResponse) with my data (firstname, lastname, etc.) meaning that the authentication process was successful and yet the authentication process ends with error "AADSTS50020: We are unable to issue tokens from this api version for a Microsoft account. Please contact the application vendor as they need to use version 2.0 of the protocol to support this."

I not sure on how to interpret the error: is the error saying I'm not using v2.0 of the protocol or is it saying I'm not calling v2.0 of their authentication endpoint.

The difficulty I'm facing is that Microsoft has changed so many times protocols and interfaces and has mixed up live.com/outlook.com and azure/office365 that in the end I don't know what I should be providing as the authority url and the resource uri to access live.com/outlook.com mailboxes.

What I noticed is that apart the authentication UI I'm not getting the UI where I should be authorizing the application to act on my behalf.

Authentication error

Below is the outgoing request with the smtp address obfuscated.

https://login.live.com/ppsecure/post.srf?wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%3drQIIARWPsU7CQABAubaQghqRaIIbAy6aa3uFttwlDmog0gEGXSQu19JCY8thbcU4ObjLBzg5OpjoYAyf4MRiYtg00RhmTRzF5SVvey8zV5JQScISQqqeA2idRxIiRYoMS8cUQ8VANixj14HUxSp0DAuXKmXVsh0tzGWyaDi_ix-FndGH_zZprV09ATAG4AuACw5MuMXmVhx11X-w0Dt3plzSZx2vd8sXu1HUPyGyzOLIZ-xIYq7r2Y5ks0AOqOdLoUPbD3xq5gHrjfiihjVLN7QStPU2hmWDupAirQJtza5gRbeo5rZfeTAWwFRYEfnsQj5d-BQVnohiKsvlE4XErwBukrPk7aX3-7vD5eblwc_1y_d-4jkp980qik_7x11crwaBKesmrQ-qhhm2VKaE-2Fto7XXsNBZo9bZRAQNU2CUXo3DHvGcyCWDDmF0tkhUSSGMWX81&wfresh=0&id=&pcexp=false&username=xyz%40hotmail.com&popupui=1&contextid=70F2DEC5506FD639&bk=1491815919&uaid=480c9031b6394304bae56ce1da5a258f&pid=0

Here is the code I've used:

string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";

PlatformParameters authParms = new PlatformParameters(PromptBehavior.Always, null);

AuthenticationContext authContext = new AuthenticationContext(authority, TokenCache.DefaultShared);

AuthenticationResult result = await authContext.AcquireTokenAsync(
    "https://outlook.office.com/mail.read",
    clientId,
    new Uri(redirectUri),
    authParms);
whatever
  • 2,492
  • 6
  • 30
  • 42
  • Can you please share the `scope` and `response_type` in your request to Azure AD for authentication? – Gaurav Mantri Apr 10 '17 at 10:54
  • I don't see any such attributes in the request. I've edited my post above adding the token request url. – whatever Apr 10 '17 at 12:15
  • I just noticed that you're using ADAL. If I am not mistaken ADAL doesn't support Azure AD v2.0. I think you would need to use MSAL (https://github.com/AzureAD/microsoft-authentication-library-for-dotnet). – Gaurav Mantri Apr 10 '17 at 12:36
  • Does live.com/outlook.com leverage Azure? – whatever Apr 10 '17 at 14:51
  • I'm not sure I understand your question. Would you mind explaining? – Gaurav Mantri Apr 10 '17 at 14:52
  • You say that I should be using MSAL because Azure AD 2.0 does not support it, but I need to read live.com mailboxes (not office 365 mailboxes) so I ask to you does live.com use Azure AD? – whatever Apr 10 '17 at 15:00
  • Aah...I see. From what I understand when you sign in through Azure AD v2.0 using your Microsoft account, you get a token back for reading live.com mailboxes (that's why I asked for scopes in my 1st comment). Then you can use live.com API to read those mailboxes. HTH. – Gaurav Mantri Apr 10 '17 at 15:06
  • What is the api you are using and how do you authenticate the user ? In addition , you could find v2.0 quick start tutorials with code samples from [here](https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-app-registration) . – Nan Yu Apr 11 '17 at 08:09
  • I'm using ADAL for authentication (have tried both the nuget and the github open source versions). As for the code, I've added it to my initial post. – whatever Apr 11 '17 at 13:46
  • @noplace I am facing the same error. Did you get it to work ? – user3752049 May 21 '17 at 06:08

1 Answers1

6

There are three things here:

  1. Applications created with the https://apps.dev.microsoft.com web site target the AAD v2.0 endpoint, not the v1.0 endpoint (those are different versions of the protocol)

  2. The V2.0 endpoint is not supported by ADAL. It is supported by MSAL. However the development of MSAL is in progress, so I don't think that you can quite use it yet (you should be able to, in a few weeks, and even then I don't think it will be GA)

  3. Authenticating with MSA Accounts directly is supported from the V2.0 endpoint and therefore MSAL, not with ADAL. ADAL only supports ADFS and AAD

I understand that you want to authenticate with MSA accounts (live), and therefore you need to use MSA. I would advise you wait a bit, if you can

Note: This is a bit subtle, but you can also have AAD guest accounts which are MSA accounts in an Azure Active Directory (you create a user with an existing email addresses, which could be an MSA). That is supported by the V1.0 endpoint - and therefore ADAL, but you have to create users with these email addresses in the AAD tenant, which is probably not what you want. And also there are flows where MSAs won't work (for instance when a user authenticate to use a web service which itself uses a web service: the on-behalf-of flow), so I would not recommend this option.

user4947563
  • 71
  • 1