Azure AD Authentication Library for .NET

Summary

The Azure AD Authentication Library (ADAL) for .NET enables client application developers to easily authenticate users to cloud or on-premises Active Directory (AD), and then obtain access tokens for securing API calls. ADAL for .NET has many features that make authentication easier for developers, such as asynchronous support, a configurable token cache that stores access tokens and refresh tokens, automatic token refresh when an access token expires and a refresh token is available, and more. By handling most of the complexity, ADAL can help a developer focus on business logic in their application and easily secure resources without being an expert on security.

In This Section

Scenarios

ADAL for .NET enables the key scenarios below. The resource portion of these scenarios can be implemented using any token validation logic.

  • Authenticating Users of a Client Application to a Remote Resource: In this scenario, a developer has a client, such as a WPF application, that needs to access a remote resource secured by Azure AD, such as a web API. He has an Azure subscription, knows how to invoke the downstream web API, and knows the Azure AD tenant that the web API uses. As a result, he can use ADAL to facilitate authentication with Azure AD, either by fully delegating the authentication experience to ADAL or by explicitly handling user credentials. ADAL makes it easy to authenticate the user, obtain an access token and refresh token from Azure AD, and then use the access token to make requests to the web API.

    For a code sample that demonstrates this scenario using authentication to Azure AD, see Native Client WPF Application to Web API.

  • Authenticating a Server Application to a Remote Resource: In this scenario, a developer has an application running on a server that needs to access a remote resource secured by Azure AD, such as a web API. He has an Azure subscription, knows how to invoke the downstream service, and knows the Azure AD tenant the web API uses. As a result, he can use ADAL to facilitate authentication with Azure AD by explicitly handling the application’s credentials. ADAL makes it easy to retrieve a token from Azure AD by using the application’s client credential and then use that token to make requests to the web API. ADAL also handles managing the lifetime of the access token by caching it and renewing it as necessary.

    For a code sample that demonstrates this scenario, see Console Application to Web API.

  • Authenticating a Server Application on Behalf of a User to Access a Remote Resource: In this scenario, a developer has an application running on a server that needs to access a remote resource secured by Azure AD, such as a web API. The request also needs to be made on behalf of a user in Azure AD. He has an Azure subscription, knows how to invoke the downstream web API, and knows the Azure AD tenant the service uses. Once the user is authenticated to the web application, the application can get an authorization code for the user from Azure AD. The web application can then use ADAL for .NET to obtain an access token and refresh token on behalf of a user using the authorization code and client credentials associated with the application from Azure AD. Once the web application is in possession of the access token, it can call the web API until the token expires. When the token expires, the web application can use ADAL for .NET to get a new access token by using the refresh token that was previously received.

Features

ADAL for .NET offers the following features:

  • Asynchronous Methods: ADAL for .NET supports asynchronous variants for each method that acquires a token, helping to make your application much more responsive during the authentication process.

  • Token Acquisition: ADAL for .NET facilitates the process of acquiring tokens from Azure AD and Windows Server ADFS for Windows Server 2012 R2 by using a variety of identity providers, protocols, and credential types. ADAL can manage the entire token acquisition process in just a few lines of code, including the authentication user experience. Alternatively, you can provide raw credentials that represent your user or application and ADAL will manage obtaining a token for you.

  • Token Cache: ADAL for .NET stores all access tokens in an in-memory token cache by default, but you can also write your own cache implementation or disable it entirely.

  • Automatic Token Refresh: In addition to the token cache, ADAL supports automatic refresh of tokens when they expire. ADAL will both query the token cache to check if the token has expired, and then attempt to get a new token using the cached refresh token.

See Also

Other Resources

Azure Active Directory Code Samples
Authentication Scenarios for Azure AD