Azure Active Directory with MVC, the client and resource identify the same application

4
votes

Following up this question:

How to do both Azure Active Directory Single Sign On and Forms Authentications on ASP.NET MVC

I have tried writing the simple code on Login action of default MVC 4 which uses both default Forms Authentication and Azure Active Directory SSO:

public async Task<ActionResult> Login(LoginModel model, string returnUrl)
{
    if (ModelState.IsValid && WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
    {
        return RedirectToLocal(returnUrl);
    }

    authContext = new AuthenticationContext(authority, new TokenCache());
    var result = await authContext.AcquireTokenAsync(resourceId, clientId, new UserCredential(model.UserName, model.Password));

    // more code
}

So if the normal Login WebSecurity.Login is not successful, I try to acquire token from AAD by using ADAL.NET with credential (username/password) following this post: http://www.cloudidentity.com/blog/2014/07/08/using-adal-net-to-authenticate-users-via-usernamepassword/

When running application I got the error from Azure:

AADSTS90027: The client '[ClientId]' and resource '[ResouceId]' identify the same application.

I am not sure whether it really makes sense to use ADAL with credential directly on MVC Login action. Please someone give me a hint on this stuff.

1
c#asp.net-mvcazure-active-directory
I still recommend you rethink your approach and consider a passive auth. - Wiktor Zychla
stackoverflow.com/questions/16452848/… - cuongle
Exactly, the 2fac auth is possibly one of the biggest arguments to favor the passive auth over the scenario you'd like to implement. - Wiktor Zychla
@WiktorZychla: Yes, you are right, thanks for your recommendation, this is not gonna work out for us, even 2 factor authentication, we go ahead with your and below answer's recommendation - cuongle

1 Answers

4
votes

ADAL is not meant to achieve web sign-on in a web application. ADAL helps an application to obtain a token for accessing another resource: in other words, it helps your application to be a CLIENT. Moreover, the username/password is not available in web apps as it is meant to be used only in native applications. In order to use both FormsAuth and Azure AD, please consider adding both the ASP.NET identity middleware and the OpenId Connect middleware. The OpenId Connect middleware is the library one should use for achieving web SSO with Azure AD.