Multi-tenant WebAPI – simple admin consent

The VS.NET 2015 wizard for adding authentication to ASP.NET WebAPI projects does not support using the multi-tenant option. Here are some notes on how to implement this option yourself and create OAuth2 access tokens to such resources using separate tenants. This is not meant as an attempt to document features – rather as a record […]

Using Azure AD to authenticate public clients to SQL Azure

Azure AD enables access authorization to SQL Azure as an alternative to providing username/password information in the connection string: https://azure.microsoft.com/en-us/documentation/articles/sql-database-aad-authentication/. It is somewhat analogous to using Windows Authentication when both the client and the database are on a Windows domain network. It is particularly useful on public (non-confidential) clients where storing secrets is inappropriate and […]

Using Redis as ADAL token cache

Here is a sample TokenCache class implementation using Redis for use with the Active Directory Access Library (ADAL). The library is used for obtaining tokens from Azure AD or AD FS using the OAuth2 protocol. This implementation is intended for web applications acting as OAuth2 or OpenIDConnect clients. Typical use of this class is in the […]

Changing user password in Azure AD using GraphAPI

The following pertains to a very specific scenario: You use Azure AD for some applications (e.g. Office365), but… …one of your applications does NOT use Azure AD (yet). It has its own authentication store and method (e.g. forms authn). However, you want to keep the application’s credentials in sync with AAD. Basically, allow same signon […]

Passive is good!

Some time back I wrote about avoiding handling of credentials (creation/maintenance/verification of user names, passwords, pins, etc.) in your own application code, but rather delegating that functionality to a specialized, external identity provider (IdP; http://blogs.msdn.com/b/mrochon/archive/2014/12/02/should-an-application-handle-user-credentials.aspx). This aversion should apply to even collection of credentials (e.g. asking the user for user name/password). Even that role should be delegated […]