Keep the feedback and suggestions coming!
Alex Simons ( @Alex_A_Simons )
Director of Program Management
Microsoft Identity and Security Services Division
Hello everybody!Windows 10 is unique among all modern operating systems – as of today, it is the only one offering OAuth2 integration directly in its native API. Apps targeting the Universal Windows Platform use a consistent set of API for obtaining security tokens to gain access to protected resources, thanks to a pluggable architecture that can expose any provider through a consistent programming façade. Microsoft's identity providers (Azure AD and MSA) are available out of the box, making it super easy for you to take advantage in your apps of the accounts already present in the system. In this post I am going to give you a quick introduction to the new API architecture, show you some sample code demonstrating how to get an Azure AD token, and discuss the relationship between the new Windows 10 identity API and ADAL, our existing Azure AD family of developer libraries. Ready? Let's dive in!
string tenant = "developertenant.onmicrosoft.com";
string authority = "https://login.microsoftonline.com/" + tenant;
WebAccountProvider wap =
await WebAuthenticationCoreManager.FindAccountProviderAsync("https://login.microsoft.com", authority);Given that I want a user from a specific tenant, I specify that tenant as the authority. If I'd want this app to work with any Azure AD tenant, I would pass "organizations" in lieu of the authority parameter. Note . As mentioned, this API abstracts away the differences between providers: this syntax would work just as well if I'd be looking to get a MSA token – in that case, I'd pass "consumers" instead. Once you get a hold on the desired provider, you can construct the token request. Here there's how the code looks like for Azure AD.
string clientId = "a9b55b7d-66af-4de9-9ee7-c7b04106bdef";
string resource = "https://graph.windows.net";
WebTokenRequest wtr = new WebTokenRequest(wap, string.Empty, clientId);
wtr.Properties.Add("resource", resource);The WebTokenRequest constructor takes the absolute minimal sets of parameters required for crafting an OAuth2 request. Being Azure AD a multi tenant system, you are required to provide extra information – such as the resource parameter, indicating what is that you are requesting access to (in this case, the Graph). The WebTokenRequest allows you to specify provider-specific information simply by adding them to a generic property bag. Once you have the request ready, you fire it up with the following code.
WebTokenRequestResult wtrr = await WebAuthenticationCoreManager.RequestTokenAsync(wtr);
if (wtrr.ResponseStatus == WebTokenRequestStatus.Success)
accessToken = wtrr.ResponseData.Token;
var account = wtrr.ResponseData.WebAccount;
var properties = wtrr.ResponseData.Properties;
}This is where most of the magic happens. The provider you specified takes over, trying to use the currently signed in user (or any account saved on the system) to obtain the token you requested without prompting the user. If the token can be obtained without interaction, as it will often be the case on cloud domain joined or classic domain joined machines, the call to RequestTokenAsync will return right away. In case interaction is required, either for showing consent or for gathering authentication factors, the API will take care to automatically prompt the user with the correct experience. Once you obtain the requested token, you can invoke the Graph with it - just as you'd do on any traditional app: via raw REST calls or via client library, according to your preferences. Let's see how using such an app would play out on a desktop PC or a tablet cloud-joined to my test directory developertenant.onmicrosoft.com. Here there's the initial UX of a simple directory searcher UWP application.
Say that we hooked up the token acquisition logic to the Search button. As I press the button, RequestTokenAsync automatically uses the developertenant.onmicrosoft.com account I am signed in with – but given that this is the first time I run the app, I am asked to grant consent to it:
As soon as I accept, RequestTokenAsync returns the requested token to the app code – which can now use it to query the directory Graph and display the results.
Now, the beauty of UWP apps is that they can run *as is* on phones running Windows 10 – no code changes required. You can see this by yourself by changing the debug target to a device emulator and hitting F5 again.
Here there's the UX for the app, automatically formatted for the phone form factor. Enter your query and tap Search.
In this case, I am using a phone that was already configured to use my email@example.com – thanks to that, I don't need to enter any credentials and I go straight to the consent. If I'd be running this on a "clean" device not associated to any user, the code would work just as well: I'd simply be asked to enter my credentials first.
As soon as I grant consent, the app retrieves the token it needs and performs its query. That was easy! If you want to play with the sample on your own machine, you can find its source on GitHub . If you want to know more about WebAccountManager and Azure AD, check out the recording of this //Build/ session ; if you want to hear more about the general architecture of the WebAccountManager API, check out Karanbir's //Build/ session .
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.