Azure Active Directory authentication from native application without requiring user login

2
votes

Here is what I am trying to accomplish - A native application which is going to be run on a system where I cannot involve the user to login but I want to access web services secured behind AAD using a bearer token. There are two options -

  1. Use a certificate based flow (which I want to avoid for few reasons specific to my project)
  2. Use the client secret

Issue I am running into: When I call acquiretokenasync using the Native AAD application's client ID and a client credential built using the AAD web application's (which the native app has permissions to) client secret, I get the following error -

{"AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.\r\nTrace ID: f52cc954-2674-47ee-9a7b-094451b05c7c\r\nCorrelation ID: 1ba8ac64-cc4a-4ff7-83d6-a333504459d6\r\nTimestamp: 2016-08-20 01:45:08Z"}

So given that the client secret is indeed correct (which I am positive about), what could be the real issue behind this error?

Thanks in advance for your help :)

2
azureauthenticationadal

2 Answers

0
votes

You can't use the native application client ID and web application client credential (client secret). The native application has no associated secret, only the web application has. Native applications are assumed to run on insecure hosts, such as the desktops and smartphones. Client secrets would become too fragile.

For more information on how to authenticate a native application and access resources, take a look at these articles:

0
votes

There are two types of application which we can register in Azure Active Directory.

  1. Select Native for client applications that are installed locally on a device. This setting is used for OAuth public native clients.
  2. Select Web app/API for client applications and resource/API applications that are installed on a secure server. This setting is used for OAuth confidential web clients and public user-agent-based clients. The same application can also expose both a client and resource/API.

Native applications are public clients in OAuth2 parlance. Those apps are meant to run on a device and aren't trusted to maintain a secret - hence, their entry in the directory does not have the corresponding property. Without a secret, there is no way to assert the identity of the app - hence such apps cannot gain app level permissions and the portal UX reflects that. Conversely web apps are, again in OAuth2 parlance, confidential clients. They can get delegated tokens for their users, but they can also use client credentials to get tokens as themselves. Native apps can obtain tokens for the user via the OAuth2 authorization grant.

Refer this article further.