Initiate Azure AD v2 Authentication Request

Q

How to initiate Azure AD v2.0 Sign-On Authentication Request?

✍: FYIcenter.com

A

The Azure AD v2.0 Sign-On Authentication Request must be initiated from the end user's Web browser, because the Azure AD service needs to communicate with the Web browser to make sure that the end user is signed on to an AD (Active Directory) and has a valid browser session.

There are a number of options to initiate Azure AD v2.0 Sign-On Authentication Request:

1. Using HTML "form" POST method to let the end user submit the request. All request parameters are coded as hidden form variables. For example:

<p>Please click the button flow to sign-on:</p>
<form method="POST" 
   action="https://login.microsoftonline.com/common/oauth2/v2.0/authorize">
<input type="hidden" name="client_id"
   value="bd51d56c-e744-4a58-91e1-************">
...
<input type="Submit" name="Submit" value="Sign-On">
</form>

The main risk of this option is that your end user can view HTML source to see your "client_id" value and other request parameters.

2. Using HTML "form" GET method to let the end user submit the request. All request parameters are coded as hidden form variables. For example:

<p>Please click the button flow to sign-on:</p>
<form method="GET" 
   action="https://login.microsoftonline.com/common/oauth2/v2.0/authorize">
<input type="hidden" name="client_id"
   value="bd51d56c-e744-4a58-91e1-************">
...
<input type="Submit" name="Submit" value="Sign-On">
</form>

This option is not as good as the first option, because all parameters show up in the browser's Web address area for a short period of time before Azure AD service redirects the browser to the sign-on page or your application page.

Note that all parameters may stay in the browser's Web address area for a long time if there is any issue with your authentication request.

3. Use a server side script to return a HTTP 302 redirect response. All request parameters are coded as the query string of the redirect URL. For example:

In the HTML document: 
<p>Click hereto sign-on</p>

In the service side script, Azure-AD-Redirect.php:
$url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize".
   "?client_id=bd51d56c-e744-4a58-91e1-************".
   "&...";
header("Location: $url");

When the Web receives the HTTP 302 redirect response, it will automatically call the URL given in the "Location" response header.

This option is does not leave your client_id value in the HTML source code. But all parameters show up in the browser's Web address area for a short period of time before Azure AD redirects the browser the sign-on page or your application page.

Note that all parameters may stay in the browser's Web address area for a long time if there is any issue with your authentication request.

Compare to other options, option 3 might be the best option.

⇒ Process Azure AD v2 Authentication Request

⇐ Azure AD v2 Sign-On Authentication Request

⇑ Azure AD Integration v2.0

⇑⇑ OpenID Tutorials

2019-05-03, 1405🔥, 0💬

Azure AD v2 OpenID Metadata Document
What is the Azure AD v2.0 OpenID Metadata Document? Azure AD v2.0 OpenID Metadata Document is an online JSON document that contains most of the information required for an app to perform sign-in. This includes information such as the URLs to use and the location of the service's public signing keys.... 2021-01-09, ∼1798🔥, 0💬

Azure AD v2 Error: Invalid Reply URL
Why Azure AD v2.0 display this error message: AADSTS50011: The reply url specified in the request does not match the reply URLsconfigured for the application? The root cause of this error is that you forgot the add the "redirect_uri" in your authentication request to Application ID settings on Azure... 2019-05-03, ∼1741🔥, 0💬

Authentication Flows with Azure AD v2
What are Authentication Flows Supported by Azure AD v2.0 service? Azure AD v2.0 service supports 3 Authentication Flows: 1. Implicit Flow - The Implicit Flow is simple to implement. But it is less secure. Authentication is done in a single call to Azure AD service, which returns the "id_token" conta... 2021-01-09, ∼1592🔥, 0💬

Azure AD Integration Versions 1 and 2
What are differences of v1.0 and v2.0 of Azure AD Integration? The main difference between v1.0 and v2.0 of Azure AD Integration is who can sign in to your application: Azure AD v1.0 allows only work and school accounts to sign in to your application. Azure AD v2.0 allows work and school accounts fr... 2021-01-09, ∼1569🔥, 0💬

Azure AD Integration v2.0
Where to find tutorials on Azure AD Integration v2.0? Here is a list of tutorials to answer many frequently asked questions compiled by FYIcenter.com team on Azure AD Integration v2.0. Authentication Flows with Azure AD v2 Azure AD v2 OpenID Metadata Document Azure AD v2 Sign-On Authentication Reque... 2021-01-09, ∼1517🔥, 0💬

Process Azure AD v2 Authentication Request
How to the Azure AD v2.0 Sign-On Authentication Request is process by Azure AD service? When Azure AD service receives a Sign-On Authentication Request from an end user's Web browser, it will: Verify if the "client_id" value in the request is valid. If not, display an error message page to the end u... 2019-05-03, ∼1479🔥, 0💬

Authentication Response Received from Azure AD v2
How to process the authentication response received from Azure AD v2.0 service after sending a sign-on authentication request? After Azure AD v2.0 service receives a sign-on authentication request from the end user's Web browser, it will process the request and redirect the Web browser to the "redir... 2019-05-03, ∼1410🔥, 0💬

Initiate Azure AD v2 Authentication Request
How to initiate Azure AD v2.0 Sign-On Authentication Request? The Azure AD v2.0 Sign-On Authentication Request must be initiated from the end user's Web browser, because the Azure AD service needs to communicate with the Web browser to make sure that the end user is signed on to an AD (Active Direct... 2019-05-03, ∼1406🔥, 0💬

Azure AD v2 Authentication Request Test Page
How to build an Azure AD 2.0 Authentication Request Test page? The Authentication Request is the first call to the Azure AD service. You can build a simple Web form page to test different behavior of the Authentication Request. Here is an example, Azure-AD-2-Authentication-Requ est-Test.html:&lt... 2019-05-03, ∼1400🔥, 0💬

All rights in the contents of this web site are reserved by the individual author. fyicenter.com does not guarantee the truthfulness, accuracy, or reliability of any contents.