B2B silent authentication

1
votes

Our application is using the Adal SDK for both Android and IOS platforms. We want to add the support in B2B and shared data between tenants. Assuming the user from the Home tenants was already invited to a different tenant.

I wanted to know what is the API to get a Token to the inviting tenant assuming the user already signed-in before to the home tenant ? what is the way to silently acquire a token to the inviting tenant ?

I tried and managed to get a token using interactive sign-in (by providing the specific inviting tenant id instead of using common) but i am not sure how to perform silent sign-in to the inviting tenant (when the user has a token for the home tenant)

What I managed to do is to silently acquire a token to the home tenant and then use the refresh token i got in order to get a token to the inviting tenant by calling the acquireTokenByRefreshToken function (and using two AuthenticationContext - one with common authority and the second with the specific tenant id) but then i noticed that in the Android SDK the acquireTokenByRefreshToken is marked as deprecated and in the IOS SDK it seems this function is private so we can't really use it.

So what i wanted to know is what is the right API to get a token to the inviting tenant using a token of the home tenant and the id of the inviting tenant ?

3
microsoft-graph-apiadal

3 Answers

1
votes

Guest access in ADAL for Android is supported by versions 1.14.x+ (released Feb, 2018) - a link to the latest releases can be found here. They are available for download on Maven Central.

For guest scenarios, the AuthenticationContext can be reconstructed with an authority URL containing the tenant id -- acquireTokenSilent calls can then be made using the UserInfo.userId acquired from the AuthenticationResult of a previous acquireToken or acquireTokenSilent call.

Please note, as of Oct 2018 (the time of this answer's writing) there are some limitations to be aware of as to how x-tenant refresh tokens are supported:

If you are trying to execute the flow where...

  1. You acquire a token (using UI and asking user to enter credentials) for the home tenant and...
  2. Then you acquire a token silently for the guest tenant

Then this will work only in the case where the device has been joined (registered) to the home tenant. In every other case the following is the supported flow...

  1. You acquire a token (interactively, using UI to enter creds) for the home tenant and...
  2. Then you acquire a token silently for the home tenant
  3. You acquire a token (interactively, using UI to enter creds) for the guest tenant and...
  4. Then you acquire a token silently for the guest tenant
0
votes

It seems that for a device which is not enrolled (and not registered?) you must do an Interactive sign-in to the external tenant before getting an Access Token

However, as you can see in the first answer (second part) there is a rest API that can be used in order to get an Access Token to the external tenant with using only the refresh token of the home tenant (and without forcing the user to do interactive sign-in)

this is not supported today in the SDK

-1
votes

will be removed from the next major release. We don't recommend developers taking dependency on refresh token,* ADAL will handle the cache lookup, and refresh the RT if necessary.

Based on the description, the next version of ADAL for Android will handle the renew token automatically for us. You can refer the azure-activedirectory-library-for-dotnet library. It also handle re-new token automatically using
AcquireTokenAsync(string resource, string clientId, Uri redirectUri, IPlatformParameters parameters).

So what i wanted to know is what is the right API to get a token to the inviting tenant using a token of the home tenant and the id of the inviting tenant ?

Based on my understanding, the SDK doesn't support this refresh the access token for the different tenant. As a workaround, you can post the request directly like below to refresh the token:

POST:https://login.microsoftonline.com/{targetTenant}/oauth2/token
grant_type=refresh_token&client_id={clientId}&client_secret={client_secret}&resource={resource}&refresh_token={refresh_token_from_home_tenant}