0

This has been asked before, but in a different context. I need to be able to authenticate to Azure AD (Entra) via MFA from a terminal, where there is no possibility to load a browser. This is on Linux, and I've been using the python msal library. Right now I can only authenticate with username and password. I've been grasping at straws, such as using selenium, etc. Anyone have any ideas?

David Mulder
  • 7,595
  • 11
  • 45
  • 61
  • Perhaps I could generate a url with `get_authorization_request_url`, then display a QR code at the terminal for users to authenticate on their personal device? But then how would I forward the auth back to the linux terminal? – David Mulder Aug 08 '23 at 15:20
  • Actually, I suppose I would want to start with a `initiate_auth_code_flow`, and do that dance. – David Mulder Aug 08 '23 at 15:22
  • I don't think that will work, because the redirect url has to be configured in the azure ad app (so I'd have to configure every single client manually). – David Mulder Aug 08 '23 at 15:41

1 Answers1

2

Library like MSAL in an environment that doesn't support a web browser (e.g., terminal in a headless Linux server), you won't be able to use the standard interactive OAuth flows which rely on a browser-based redirect.

For Terminal Based tools without browser, I generally recommend using the "Device Code Flow".

  1. The application asks Azure AD to provide a device code.
  2. Azure AD returns a device code, a user code, and a verification URL.
  3. The user is instructed to browse to the verification URL on a separate device (like their phone or a desktop) and input the user code. Upon doing so, they'll then complete the standard interactive MFA process on that separate device.
  4. Meanwhile, the application periodically polls Azure AD with the device code to check if the user has completed the MFA process.
  5. Once the user completes the MFA, Azure AD returns an access token to the application.

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code

https://github.com/Azure-Samples/ms-identity-python-devicecodeflow

Device Code Flow (Azure AD)

Daredevil
  • 732
  • 5
  • 13
  • Thanks! That's exactly what I was looking for. Do you know if it's possible to pass the code with the URL? I'd like to simply present a qrcode to the user to scan with their phone. – David Mulder Aug 09 '23 at 20:08
  • Hrm, device code flow doesn't let me provide a login_hint, like acquire_token_interactive does. – David Mulder Aug 09 '23 at 20:19
  • Oh, dang. I see that MS hasn't implemented verification_uri_complete. That's a bummer. – David Mulder Aug 09 '23 at 20:52