Web Application Authentication for Azure AD using Android ADAL

0
votes

Scenario: I have a service hosted in Azure. The service hosts a questions database. I want my android app to get the data from the service with Web Application Authentication and not Delegated Authentication. Basically I don't want users to sign in.

Research: I searched a lot and in adal, no variant of acquiretoken takes a client secret to make it work. On .Net, same thing can be done using ClientCredentials. The closest question asked on SO is Authenticate the user on Azure AD using ADAL library from Android native app.

The answer does not specifically tells how to achieve it.

1
androidazureazure-active-directoryadalazure-android-sdk

1 Answers

1
votes

Applications on a mobile phone or other Android devices are public client applications (native client applications). As noted in the specification, client authentication methods are not allowed for public clients.

In layman's terms, because public clients cannot keep a client secret, due to the nature of where the code lives and runs, it also cannot truly authenticate its client identity to AAD. For example, someone nefarious could sniff the web traffic of a native client device running your application, and replicate it with their own code, imitating your app. Therefore, only more strict authentication methods can be used, like Delegated Authentication.

If you need to make service to service calls (app only calls) between two services, they must both be confidential clients. Technically, you could have your android app act as if it were a confidential client by registering it a Web App ID and a Client Secret, but our libraries won't help you do that. You will need to go back to the roots and make the HTTP calls yourself to acquire a token.