1

I am building a Python web API where I want to use Azure AD as authentication backend. On certain scenarios the clients needs to authenticate through the API to authorize to certain endpoints. The client itself is not able to authenticate to AD directly, so it needs to do it through the API using raw credentials (username, password). The API will then authenticate the user and receive the AD token and give it to the user.

So in short I am looking for a way to programmatically authenticate a user using username/password and receive the token using Python.

Improve this question

2 Answers 2

Reset to default
1

You can find the different authentication flows relevant for an application type and topology in this Azure AD article. The article links to the protocol overview for the authentication flows if you choose to implement.

There is also the ADAL Python auth library for Azure AD which you can use to do these flows.

Based on your scenario, you have a few options. If your client app can authenticate directly with Azure AD, you can take a look at the client credentials flow sample. If your application needs a user to authenticate and can have the user authenticate interactively, you can check out this auth code flow sample. Finally, if you must use the user's credentials to authenticate programmatically(without user interaction) in the app, you can refer to the resource owner password flow, but this is not encouraged as mentioned in the other answer.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

What you are describing is the OAuth 2 Resource Owner Password Credentials Grant flow.

Note: using this one is in general a really bad idea and some other flow should be considered instead.

What you are doing here, is sending POST request containing user credentials in clear text directly to the authentication endpoint. Thus bypassing all possible added security that might be put in place.

Also, it will not work when

  1. MFA is enabled for the user
  2. User is federated or a MS account
  3. This flow has no way to handle expired passwords

Consider some other authorization flow if possible, you got e.g.

  • Authorization code flow
  • Implicit grant flow
  • Client credentials flow
  • Device authentication flow

See this link to help you select which flow to use.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.