Azure Resource Owner Password Credentials flow

30 Sep 2020 | 2 mins read | java azure azure-ad ROPC

Introduction

Azure provides ROPC (Resource Owner Password Credentials) flow where the Application exchanges user credentials for accessToken and refresh token. There are a few important points to consider when planning to use ROPC flow.

  1. This flow doesn’t work with federated IDPs like Facebook, GitHub, Microsoft, etc., and works with local accounts only.
  2. Invited accounts don’t work with this flow.
  3. It does not work if the MFA (Multi-Factor Authentication) is enabled.

Below are a few steps to set up ROPC.

Setup AppRegistration

Just like in other OAuth2 providers we have to register an application, similarly, we’ll be creating one app registraion here.

  1. Login to https://portal.azure.com
  2. In the search box type Azure Active Directory Search Azure Active Directory
  3. Find and navigate to App Registrations on the left panel. App Registrations
  4. Click on + New Registration
  5. Add the application name in the given form and choose the supported account types. In my case, I’ve selected the Accounts in this organizational directory only because I’m creating the single-tenant access only. If you want your app can access multiple tenants then you can choose the other options provided in the form. App Registrations
  6. Once the app is created then you’ll be redirect to App Overview page. Now here you need to find and navigate to the API Permission on the left panel. App Registrations
  7. Grant admin consent for the default directory. Grant Admin Consent
  8. Now click on the Authentication on the left panel and select Treat application as a public client and then hit save. Authentication

Congratulations you’ve configured the AppRegistration and setup the ROPC successfully.

Create Test User

To test the flow I’ll be creating one user as my email id doesn’t belong to the tenant in which I’ve created the app registration.

  1. To create user type Azure Active Directory in the search box and click on the users in the left panel. (Make sure you’re on the same tenant where you’ve created the App Registration). Add User
  2. Click New User and then select Create User. Once the user is created then open a new tab and try to login to https://portal.azure.com and change the password if you’ve chosen the Auto-generate password option. Add User

ROPC Call

Now it’s time to make the API call to get the token. Use the below API to get the token

URI https://login.microsoftonline.com/<tenant-id>/oauth2/token
Method - POST
Form urlencoded body
grant_type=password
username=<username>
password=<password>
resource=<clientId>
client_id=<clientId>

Goto App Registration overview page to get tenantId and clientId details. Token

References

Azure ROPC resources

Related posts