Azure Authentication - End User

About

Process

End-user authentication with Data Lake Store using REST API.

  • ADLS resources are accessed with the same level of access as the logged-in user.
  • The user needs to provide their credentials periodically in order for your application to maintain access.

Authentication process gets two token:

  • an access token (attached to each rest request, valid for one hour by default)
  • and a refresh token (to obtain a new access token, valid for up to two weeks by default)

Steps

Register the app

Get an authorization code

To get the authorization code, the web browser (or an embedded web browser control) navigates to a:

https://login.microsoftonline.com/common/oauth2/authorize
# or
https://login.microsoftonline.com/<tenant id>/oauth2/authorize

Request Ref:

https://login.microsoftonline.com/<TENANT-ID>/oauth2/authorize?client_id=<APPLICATION-ID>&response_type=code&redirect_uri=<REDIRECT-URI>

Response:

http://localhost/?code=<AUTHORIZATION-CODE>&session_state=<GUID>

Get the tokens

Request:

curl -X POST https://login.microsoftonline.com/<TENANT-ID>/oauth2/token \
 -F redirect_uri=<REDIRECT-URI> \
 -F grant_type=authorization_code \
 -F resource=https://management.core.windows.net/ \
 -F client_id=<APPLICATION-ID> \
 -F code=<AUTHORIZATION-CODE>

Response: JSON with access token and refresh token:

{"token_type":"Bearer","scope":"user_impersonation","expires_in":"3599","expires_on":"1461865782","not_before":    "1461861882","resource":"https://management.core.windows.net/","access_token":"<REDACTED>","refresh_token":"<REDACTED>","id_token":"<REDACTED>"}

Request a new access token from the refresh token

 curl -X POST https://login.microsoftonline.com/<TENANT-ID>/oauth2/token  \
      -F grant_type=refresh_token \
      -F resource=https://management.core.windows.net/ \
      -F client_id=<APPLICATION-ID> \
      -F refresh_token=<REFRESH-TOKEN>

Powered by ComboStrap