- Day 20 - Using the Device Code Flow to Authenticate Users
To complete this sample you need the following:
- Complete the Base Console Application Setup
- Visual Studio Code installed on your development machine. If you do not have Visual Studio Code, visit the previous link for download options. (Note: This tutorial was written with Visual Studio Code version 1.28.2. The steps in this guide may work with other versions, but that has not been tested.)
- .Net Core SDK. (Note This tutorial was written with .Net Core SDK 2.1.403. The steps in this guide may work with other versions, but that has not been tested.)
- C# extension for Visual Studio Code
- Either a personal Microsoft account with a mailbox on Outlook.com, or a Microsoft work or school account.
If you don't have a Microsoft account, there are a couple of options to get a free account:
- You can sign up for a new personal Microsoft account.
- You can sign up for the Office 365 Developer Program to get a free Office 365 subscription.
As this exercise requires new permissions the App Registration needs to be updated to include the User.Read.All (delegated) permission using the new Azure AD Portal App Registrations UI (in preview as of the time of publish Nov 2018).
-
Open a browser and navigate to the Azure AD Portal. Login using a personal account (aka: Microsoft Account) or Work or School Account with permissions to create app registrations.
Note: If you do not have permissions to create app registrations contact your Azure AD domain administrators.
-
Click Azure Active Directory from the left-hand navigation menu.
-
Click on the .NET Core Graph Tutorial item in the list
Note: If you used a different name while completing the Base Console Application Setup select that instead.
-
Click API permissions from the current blade content.
-
Click Add a permission from the current blade content.
-
On the Request API permissions flyout select Microsoft Graph.
-
Select Delegated permissions.
-
In the "Select permissions" search box type "<Start of permission string>".
-
Select User.Read.All from the filtered list.
-
Click Add permissions at the bottom of flyout.
-
-
Back on the API permissions content blade, click Grant admin consent for <name of tenant>.
- Click Yes.
Note: Make sure you do not have any application permission already selected, it will make the request fail. If you do have some, remove them before granting the new permissions.
- On the application registration view from the last step, click on Manifest.
- Set the
allowPublicClient
property totrue
. - Click on
Save
In this step you will create a UserHelper class that encapsulates the logic for creating users and finding user objects by alias and then add calls to the console application created in the Base Console Application Setup to provision a new user.
-
Create a new file in the
Helpers
folder calledDeviceCodeFlowAuthorizationProvider.cs
. -
Replace the contents of
DeviceCodeFlowAuthorizationProvider.cs
with the following code:using System; using System.Collections.Generic; using System.Net.Http; using System.Net.Http.Headers; using System.Threading.Tasks; using Microsoft.Graph; using Microsoft.Identity.Client; namespace ConsoleGraphTest { public class DeviceCodeFlowAuthorizationProvider : IAuthenticationProvider { private readonly PublicClientApplication _application; private readonly List<string> _scopes; private string _authToken; public DeviceCodeFlowAuthorizationProvider(PublicClientApplication application, List<string> scopes) { _application = application; _scopes = scopes; } public async Task AuthenticateRequestAsync(HttpRequestMessage request) { if(string.IsNullOrEmpty(_authToken)) { var result = await _application.AcquireTokenWithDeviceCodeAsync(_scopes, callback => { Console.WriteLine(callback.Message); return Task.FromResult(0); }); _authToken = result.AccessToken; } request.Headers.Authorization = new AuthenticationHeaderValue("bearer", _authToken); } } }
This class contains the code to implement the device code flow requests when the GraphServiceClient
requires an access token.
-
Inside the
Program
class replace the last lines of the methodYourMethod
with the following lines. This replaces references to leverage the Device Code Flow.var authority = $"https://login.microsoftonline.com/{config["tenantId"]}"; List<string> scopes = new List<string>(); scopes.Add("https://graph.microsoft.com/.default"); var cca = new PublicClientApplication(clientId, authority); return new DeviceCodeFlowAuthorizationProvider(cca, scopes);
At the time of the writing, the Device Code Flow flow is only implemented in preview versions of the library.
-
Inside the
ConsoleGraphTest.csproj
file replace the following line<PackageReference Include="Microsoft.Identity.Client" Version="2.1.0-preview" />
by
<PackageReference Include="Microsoft.Identity.Client" Version="2.4.0-preview" />
-
In a command line type the following command
dotnet restore
.
The console application is now able to leverage the Device Code Flow which will allow the user to be identified and the context to bear a delegated context. In order to test the console application run the following commands from the command line:
dotnet build
dotnet run