-1

I've created webapp (not native) in Azure AD. I have java code (adal4j) that acquire token using appId/appSecret credentials:

    String clientId = "xxxxxxxxxxxxxxxxxxxxxx";
    String clientSecret = "yyyyyyyyyyyyyyyyyyyyyy";

    String resourceUrl = "https://graph.windows.net";
    String authorityUrl = "https://login.microsoftonline.com/zzzzzzzzzzzzzzzz/oauth2/authorize";
    ExecutorService executorService = Executors.newFixedThreadPool(4);

    Optional<UserInfo> userInfo = Optional.empty();

    try {

        AuthenticationContext authContext = new AuthenticationContext(authorityUrl, false, executorService);

        Future<AuthenticationResult> future = authContext.acquireToken(resourceUrl, new ClientCredential(clientId, clientSecret), null);
        AuthenticationResult result = future.get();
    }

Now I would like to check if specified user/password combination is in Azure AD and if yes then get First and Last name of this user. Is it possible to do this usinq acquired token ? How to write such code using adal4j ?

piotrassss
  • 205
  • 1
  • 4
  • 10
  • 1
    Tell us what exactly you want to achieve and why. As stated your question speaks of something similar to `I would like to do a brute-force attack to identify valid credentials`. And your actions will be interpreted as such by the thread protection mechanisms in Azure AD, regardless your, probably good, intent. – astaykov Jun 20 '18 at 09:32

1 Answers1

0

It sounds like what you're really trying to do is sign in a user and get their first/last name. As the comment said, the pattern suggested is not a valid one and would represent a security issue. Additionally, the use for clientId and clientSecret is not exactly for user credentials, but for app credentials. This is used for flows without user interaction for service/api applications, and doesn't sound like what you'll want.

Now, to achieve this you'll be using the OpenID Connect protocol. To simplify what will happen, your app (upon user trying to sign in) will redirect to the Microsoft sign in page (https://login.microsoftonline.com), enter their credentials and fulfill any other authorization requirements, consent to your app, and then redirected back. When they come back, your app will receive an ID Token which can be validated and used to get information about the user that has just sign in. During this time, Azure AD / Microsoft will also set a cookie on the browser so the user will get SSO across their account.

In terms of how to achieve this, I recommend following the ADAL4J Code Sample. This will get your app an ID Token, and also an Access/Refresh token that you can use to call the Microsoft Graph API. This API can also get you information about the user (basic profile info), but also their Office365, Intune, and Windows data.

Daniel Dobalian
  • 3,129
  • 2
  • 15
  • 28