Azure Resource Owner Password Credentials flow30 Sep 2020 2 mins read java azure azure-ad ROPC
Azure provides ROPC (Resource Owner Password Credentials) flow where the Application exchanges user credentials for accessToken and refresh token. There are a few important points to consider when planning to use ROPC flow.
- This flow doesn’t work with federated IDPs like Facebook, GitHub, Microsoft, etc., and works with local accounts only.
- Invited accounts don’t work with this flow.
- It does not work if the MFA (Multi-Factor Authentication) is enabled.
Below are a few steps to set up ROPC.
Just like in other OAuth2 providers we have to register an application, similarly, we’ll be creating one app registraion here.
- Login to https://portal.azure.com
- In the search box type Azure Active Directory
- Find and navigate to App Registrations on the left panel.
- Click on + New Registration
- Add the application name in the given form and choose the supported account types. In my case, I’ve selected the Accounts in this organizational directory only because I’m creating the single-tenant access only. If you want your app can access multiple tenants then you can choose the other options provided in the form.
- Once the app is created then you’ll be redirect to App Overview page. Now here you need to find and navigate to the API Permission on the left panel.
- Grant admin consent for the default directory.
- Now click on the Authentication on the left panel and select Treat application as a public client and then hit save.
Congratulations you’ve configured the AppRegistration and setup the ROPC successfully.
Create Test User
To test the flow I’ll be creating one user as my email id doesn’t belong to the tenant in which I’ve created the app registration.
- To create user type Azure Active Directory in the search box and click on the users in the left panel. (Make sure you’re on the same tenant where you’ve created the App Registration).
- Click New User and then select Create User. Once the user is created then open a new tab and try to login to https://portal.azure.com and change the password if you’ve chosen the Auto-generate password option.
Now it’s time to make the API call to get the token. Use the below API to get the token
URI https://login.microsoftonline.com/<tenant-id>/oauth2/token Method - POST Form urlencoded body grant_type=password username=<username> password=<password> resource=<clientId> client_id=<clientId>
Goto App Registration overview page to get tenantId and clientId details.
Azure ROPC resources