0

Scenario: I have a service hosted in Azure. The service hosts a questions database. I want my android app to get the data from the service with Web Application Authentication and not Delegated Authentication. Basically I don't want users to sign in.

Research: I searched a lot and in adal, no variant of acquiretoken takes a client secret to make it work. On .Net, same thing can be done using ClientCredentials. The closest question asked on SO is Authenticate the user on Azure AD using ADAL library from Android native app.

The answer does not specifically tells how to achieve it.

Abhishek Agrawal
  • 2,183
  • 1
  • 17
  • 24

1 Answers1

1

Applications on a mobile phone or other Android devices are public client applications (native client applications). As noted in the specification, client authentication methods are not allowed for public clients.

In layman's terms, because public clients cannot keep a client secret, due to the nature of where the code lives and runs, it also cannot truly authenticate its client identity to AAD. For example, someone nefarious could sniff the web traffic of a native client device running your application, and replicate it with their own code, imitating your app. Therefore, only more strict authentication methods can be used, like Delegated Authentication.

If you need to make service to service calls (app only calls) between two services, they must both be confidential clients. Technically, you could have your android app act as if it were a confidential client by registering it a Web App ID and a Client Secret, but our libraries won't help you do that. You will need to go back to the roots and make the HTTP calls yourself to acquire a token.

Community
  • 1
  • 1
Shawn Tabrizi
  • 12,206
  • 1
  • 38
  • 69
  • I understand ADAL does not provide it. But since Dot Net has it and the mechanism can be used for native clients as well, why cant we have the same functionality for android clients and eave the decision of whether use it or not to the developer based on his needs. – Abhishek Agrawal May 31 '17 at 23:52
  • I think you didn't fully understand my post. OAuth doesn't allow it. Period. Now you of course can use OAuth wrong, and register clients with the wrong information, but it is up to you to make those mistakes. Our libraries will only allow you to do things which are supported by OAuth. – Shawn Tabrizi May 31 '17 at 23:59
  • from the specification; The authorization server **MAY** establish a client authentication method with public clients. IMHO I understood your post well Shawn. and nothing form my answer gives an indication that I didnt. The question is when Adal gives same capability on Dot Net, why not for Android. And Oauth itself is not disallowing it. It might not recommend it but it does not forbid it. – Abhishek Agrawal Jun 02 '17 at 04:48