Azure Active Directory is becoming one of, if not the, primary user identity management services for cloud applications. One of Azure Active Directory's attractive features, especially for developers, is the Graph API. The Graph API provides a modern, REST-based interface into the directory, allowing us to easily read, write, update, and delete a wide range of data. In this session we'll set the foundation for how the directory is structured and what features it offers. We'll also demonstrate how to get started programming against the directory in order to utilize Azure Active Directory information in cloud and non- cloud applications.
Programming Azure Active Directory
17 COLUMBUS, OHOCTOBER 17, 2014CLOUDDEVELOP.ORG
Opening Keynote Scott Guthrie October 21 st, :00am – 5:00pm PST
Assume you know what Microsoft Azure is and likely have an Azure subscription. This is not a Active Directory design session. Review common scenarios... Yours may be different. We’re not going to cover it all today... large, complicated topics with many options/scenarios.
Azure Active Directory - What is it?
Multi-tenant “directory-as-a-service” Identity & access for on-premises and cloud applications NOT a cloud version of Windows Server AD Image Source:
Extend Windows Server AD to the cloud Directory & identity services w/o need for Windows Server AD Each O365 tenant has instance of AAD Sync process is the same Your App AAD Directory store Authentication platform Active Directory
Working with the Graph
Graph URL Tenant (domain or objectID) Entity (user, group, role, etc) OData query ($filter, $top) API Version collierdemo.onmicrosoft.com/ &api-version= ?$filter=givenName eq 'Jon' users
Graph Security
Service-to-Service OAuth 2.0 Grant Type Client Credentials My Application Azure AD Authentication Endpoint (OAuth) ( REST Service (validates token, process, returns data) Authorization Check Azure Active Directory 1) Request JWT token (provide clienID and secret) 2) Return JWT token 3) HTTP Request w/ JWT token 4) Return response
OAuth 2.0 Grant Type = Client Credentials * Some values removed for readability // get OAuth token using Client Credentials string tenantName = "GraphDir1.onMicrosoft.com"; string issuingAuthority = " + tenantName; AuthenticationContext authenticationContext = new AuthenticationContext(issuingAuthority,false); // Config for OAuth client credentials string clientId = "118473c e3-a8e4-6da8d5f56e12"; string clientSecret = "hOrJ0r0TZ4GQ3obp+vk3FZ7JBVP+TX353kNo6QwNq7Q="; ClientCredential clientCred = new ClientCredential(clientId, clientSecret); string resource = " string token; AuthenticationResult authenticationResult = authenticationContext.AcquireToken(resource, clientCred); token = authenticationResult.AccessToken; OAuth 2.0 grant type, client_id, and client_secret configured in Azure portal
OAuth 2.0 Grant Type = Client Credentials POST Content-Type: application/x-www-form-urlencoded client-request-id: 1e38c3d3-dca3-42ff db607b3488c return-client-request-id: true resource=https%3A%2F%2Fgraph.windows.net& client_id=118473c e3-a8e4-6da8d5f56e12& client_secret=hOrJ0r0TZ4GQ3obp%2Bvk3FZ7JBVP%2BTX353kNo6QwNq7Q%3D& grant_type=client_credentials * Some values removed for readability
OAuth 2.0 Grant Type = Client Credentials Content-Type: application/json; charset=utf-8 client-request-id: 1e38c3d3-dca3-42ff db607b3488c Content-Length: 1160 {"token_type":"Bearer","expires_in":"3599","expires_on":" ","not_before":" ","resource":" "access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImtyaU1Q ZG1Cdng2OHNrVDgtbVBBQjNCc2VlQSJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLndpbmRvd3MubmV0Iiwia XNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvNGZkMmIyZjItZWEyNy00ZmU1LWE4ZjMtN2IxYTdjOTc1ZjM 0LyIsImlhdCI6MTQwNzYzNjg5NCwibmJmIjoxNDA3NjM2ODk0LCJleHAiOjE0MDc2NDA3OTQsInZlciI6IjEuM CIsInRpZCI6IjRmZDJiMmYyLWVhMjctNGZlNS1hOGYzLTdiMWE3Yzk3NWYzNCIsIm9pZCI6ImIwZGVhNTFlLWJ kMDQtNGI5OS05NmEyLTE0ZDk5YjE5YmM2YSI…………………….." } * Some values removed for readability
1. Leverage ADAL and Graph Library 2. Obtain authentication token 3. Set GraphSetting with API version of choice 4. Set filter properties (if desired) 5. Get, Create, or Delete User, Group, Application, etc.
Questions?
Opening Keynote Scott Guthrie September 25, :00am – 5:00pm PST
Scenarios
Web Application Can call other web APIs Web API Can call other web APIs Web API Includes AAD Graph, O365, custom Web API Includes AAD Graph, O365, custom Browser Native/Mobile Daemon/Server More info at