Open in app

Sign in

Write

Sign in

AAD Resource Owner Password Credentials

Cloud Journey
4 min readDec 28, 2020

--

Overview

Microsoft identity platform supports the OAuth 2.0 Resource Owner Password Credentials (ROPC) grant. This flow is limited and not recommended, but there are still use cases where it’s necessary.

In this article, you will explore to acquire token and call secured Azure API.

ROPC Flow

  • Personal accounts that are invited to an Azure AD tenant can’t use ROPC.
  • ROPC is not supported in hybrid identity federation scenarios. Pass-through authentication is supported with ROPC, however.

AAD Token Endpoint

To acquire access token, you call Azure identity platform token endpoint. Here is a postman example .

You get bearer token in the response, refresh token and ID token are also returned, since we include OpenID connect scopes in the request body.

{
    "token_type": "Bearer",
    "scope": "https://management.azure.com/user_impersonation",
    "expires_in": 3599,
    "ext_expires_in": 3599,
    "access_token": "eyJ0eXAiOi...",
    "refresh_token": "0.AAAA18g...",
    "id_token": "eyJ0eXAiOiJ..."
}

OpenID Connect Scopes

  • offline_access
    On the Microsoft identity platform (requests made to the v2.0 endpoint), your app must explicitly request the offline_access scope, to receive refresh tokens.
  • openid
    The openid scope can be used at the Microsoft identity platform token endpoint to acquire ID tokens

Query Azure IP Group

After you get the access token, use the token as bearer token to call Azure management API, to query a IP group resource named workloadGroup.
Azure checks if testuser1 has RBAC permission on the Azure resource.

Access Token Expiration and Refresh Token

Access token is valid for one hour, after it expires, you will need to get new access token. The same token endpoint supports to acquire access token using refresh_token grant type.

Powershell Code Example

If you wish to use Powershell to call AAD token endpoint and query Azure resource, check out following code example.

Create Client ID

You might notice that when call token endpoint, clien_id field is mandatory.
To create AAD app registration, you may easily get it done via Azure portal. After app registration is created, please configure the API permission and turn on the public client.

Alternatively you may refer to the Powershell code from prior section, using New-AzureADApplication to create app registration.

Acquire Token from Powershell

When use Az.Account 2.1, you may call Get-AzAccessToken to easily get access token.

When use Az.Account 1.9.5, you could get the access token from cache.

$currentContext = Get-AzContext | Where-Object {$_.Subscription.ID -eq $subscriptionId -and $_.Tenant.Id -eq $tenantId}$accessToken = $currentContext.TokenCache.ReadItems() | where-object {$_.Resource -like “https://management*windows.net/" }

Token Claims

Access token has three portions,

  • HEADER:ALGORITHM & TOKEN TYPE
  • PAYLOAD:DATA
  • SIGNATURE
{
  "aud": "https://management.core.windows.net/",
  "iss": "https://sts.windows.net/.../",
  "iat": 1651178376,
  "nbf": 1651178376,
  "exp": 1651183995,
...
  "sub": "...",
...
}
4.1.1.  "iss" (Issuer) Claim

   The "iss" (issuer) claim identifies the principal that issued the
   JWT.  The processing of this claim is generally application specific.
   The "iss" value is a case-sensitive string containing a StringOrURI
   value.  Use of this claim is OPTIONAL.

4.1.2.  "sub" (Subject) Claim

   The "sub" (subject) claim identifies the principal that is the
   subject of the JWT.  The claims in a JWT are normally statements
   about the subject.  The subject value MUST either be scoped to be
   locally unique in the context of the issuer or be globally unique.
   The processing of this claim is generally application specific.  The
   "sub" value is a case-sensitive string containing a StringOrURI
   value.  Use of this claim is OPTIONAL.

4.1.3.  "aud" (Audience) Claim

   The "aud" (audience) claim identifies the recipients that the JWT is
   intended for.  Each principal intended to process the JWT MUST
   identify itself with a value in the audience claim.  If the principal
   processing the claim does not identify itself with a value in the
   "aud" claim when this claim is present, then the JWT MUST be
   rejected.  In the general case, the "aud" value is an array of case-
   sensitive strings, each containing a StringOrURI value.  In the
   special case when the JWT has one audience, the "aud" value MAY be a
   single case-sensitive string containing a StringOrURI value.  The
   interpretation of audience values is generally application specific.
   Use of this claim is OPTIONAL.

Reference Links

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#openid-connect-scopes

https://docs.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/aad/app-aad-token#--username-password-flow-programmatic

https://medium.com/objectsharp/how-to-get-azure-rest-apis-access-tokens-using-powershell-cfb3ded739ed

https://www.seb8iaan.com/the-difference-between-azuread-app-registrations-and-enterprise-applications-explained/

Creating Azure AD Application using Powershell | adatum

azcontext.TokenCache is null with Az.Accounts > v1.9.5 and breaks Azure Login scenarios · Issue #13337 · Azure/azure-powershell (github.com)

JWT spec RFC 7519: JSON Web Token (JWT) (rfc-editor.org)

Azure
Azure Active Directory
Aad
Cloud
Oauth

--

--

Cloud Journey
Cloud Journey

Written by Cloud Journey

157 Followers
15 Following

All blogs are strictly personal and do not reflect the views of my employer. https://github.com/Ronnie-personal

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams