Active Directory Authentication Library (ADAL) for .NET, Windows Store, Xamarin iOS and Xamarin Android.
Code Samples | Reference Docs | Developer Guide |
---|
Active Directory Authentication Library (ADAL) provides easy to use authentication functionality for your .NET client and Windows Store apps by taking advantage of Windows Server Active Directory and Windows Azure Active Directory. Here you can find the source code for the library. You can find the corresponding releases (both stable and prerelease) on the NuGet gallery at http://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/.
The latest stable release is available at nuget.org.
The next version of the library in prerelease form is also avialable on the NuGet gallery.
Branch | Status |
---|---|
dev (AppVeyor) |
Current version - latest one at nuget.org.
Minimum recommended version - 2.28.0
You can find the changes for each version in the change log.
A defect in ADAL .Net can result in an elevation of privilege in specific problem scenarios. The problem scenarios involve the On Behalf Of protocol flow and specific use cases of a ClientAssertion/ClientAssertionCertificate/ClientCredential and UserAssertion being passed to the AcquireToken* API. Multiple versions of the library are affected. Affected versions are listed below.
We have emailed owners of active applications that are using an impacted version of the library in the specific problem scenarios.
The latest stable version of the library does not have the defect. To avoid being impacted we strongly recommend you update to at least 2.28.1 for 2.x, 3.13.4 for 3.x, or the latest stable version. If you have questions about this issue, please email aadintegrate@microsoft.com.
Affected 2.x versions: 2.27.306291202, 2.26.305102204, 2.26.305100852, 2.25.305061457, 2.21.301221612, 2.20.301151232, 2.19.208020213, 2.18.206251556, 2.17.206230854, 2.16.204221202, 2.15.204151539, 2.14.201151115, 2.13.112191810, 2.12.111071459, 2.11.10918.1222, 2.10.10910.1511, 2.9.10826.1824, 2.8.10804.1442-rc, 2.7.10707.1513-rc, 2.6.2-alpha, 2.6.1-alpha, 2.5.1-alpha
Affected 3.x versions: 3.11.305310302-alpha, 3.10.305231913, 3.10.305161347, 3.10.305110106, 3.5.208051316-alpha, 3.5.208012240-alpha, 3.5.207081303-alpha, 3.4.206191646-alpha, 3.3.205061641-alpha, 3.2.204281119-alpha, 3.1.203031538-alpha, 3.0.110281957-alpha
We provide a full suite of sample applications and ADAL documentation to help you get started with learning the Azure Identity system. Our Azure AD Developer Guide includes tutorials for native clients such as Windows, Windows Phone, iOS, OSX, Android, and Linux. We also provide full walkthroughs for authentication flows such as OAuth2, OpenID Connect, Graph API, and other awesome features.
We leverage Stack Overflow to work with the community on supporting Azure Active Directory and its SDKs, including this one! We highly recommend you ask your questions on Stack Overflow (we're all on there!) Also browser existing issues to see if someone has had your question before.
We recommend you use the "adal" tag so we can see it! Here is the latest Q&A on Stack Overflow for ADAL: http://stackoverflow.com/questions/tagged/adal
If you find a security issue with our libraries or services please report it to secure@microsoft.com with as much detail as possible. Your submission may be eligible for a bounty through the Microsoft Bounty program. Please do not post security issues to GitHub Issues or any other public site. We will contact you shortly upon receiving the information. We encourage you to get notifications of when security incidents occur by visiting this page and subscribing to Security Advisory Alerts.
All code is licensed under the MIT license and we triage actively on GitHub. We enthusiastically welcome contributions and feedback. You can clone the repo and start contributing now, but check this document first.
The following are the primary sources of information for diagnosing issues:
- Exceptions
- Logs
- Network traces
Also, note that correlation IDs are central to the diagnostics in the library. You can set your correlation IDs on a per request basis (by setting CorrelationId
property on AuthenticationContext
before calling an acquire token method) if you want to correlate an ADAL request with other operations in your code. If you don't set a correlations id, then ADAL will generate a random one which changes on each request. All log messages and network calls will be stamped with the correlation id.
This is obviously the first diagnostic. We try to provide helpful error messages. If you find one that is not helpful please file an issue and let us know. Please also provide the target platform of your application (e.g. Desktop, Windows Store, Windows Phone).
You can configure the library to generate log messages that you can use to help diagnose issues. You configure logging by setting properties of the static class AdalTrace
; however, depending on the platform, logging methods and the properties of this class differ. Here is how logging works on each platform:
ADAL.NET for desktop applications by default logs via System.Diagnostics.Trace
class. You can add a trace listener to receive those logs. You can also control tracing using this method (e.g. change trace level or turn it off) using AdalTrace.LegacyTraceSwitch
.
The following example shows how to add a Console based listener and set trace level to Information
(the default trace level is Verbose
):
Trace.Listeners.Add(new ConsoleTraceListener());
AdalTrace.LegacyTraceSwitch.Level = TraceLevel.Info;
You can achieve the same result by adding the following lines to your application's config file:
<system.diagnostics>
<sharedListeners>
<add name="console"
type="System.Diagnostics.ConsoleTraceListener"
initializeData="false"/>
</sharedListeners>
<trace autoflush="true">
<listeners>
<add name="console" />
</listeners>
</trace>
<switches>
<add name="ADALLegacySwitch" value="Info"/>
</switches>
</system.diagnostics>
If you would like to have more control over how tracing is done in ADAL, you can add a TraceListener
to ADAL's dedicated TraceSource
with name "Microsoft.IdentityModel.Clients.ActiveDirectory".
The following example shows how to write ADAL's traces to a text file using this method:
Stream logFile = File.Create("logFile.txt");
AdalTrace.TraceSource.Listeners.Add(new TextWriterTraceListener(logFile));
AdalTrace.TraceSource.Switch.Level = SourceLevels.Information;
You can achieve the same result by adding the following lines to your application's config file:
<system.diagnostics>
<trace autoflush="true"/>
<sources>
<source name="Microsoft.IdentityModel.Clients.ActiveDirectory"
switchName="sourceSwitch"
switchType="System.Diagnostics.SourceSwitch">
<listeners>
<add name="textListener"
type="System.Diagnostics.TextWriterTraceListener"
initializeData="logFile.txt"/>
<remove name="Default" />
</listeners>
</source>
</sources>
<switches>
<add name="sourceSwitch" value="Information"/>
</switches>
</system.diagnostics>
Tracing in ADAL for Windows Store is done via an instance of class System.Diagnostics.Tracing.EventSource
with name "Microsoft.IdentityModel.Clients.ActiveDirectory". You can define your own EventListener
, connect it to the event source and set your desired trace level. Here is an example:
var eventListener = new SampleEventListener();
class SampleEventListener : EventListener
{
protected override void OnEventSourceCreated(EventSource eventSource)
{
if (eventSource.Name == "Microsoft.IdentityModel.Clients.ActiveDirectory")
{
this.EnableEvents(eventSource, EventLevel.Verbose);
}
}
protected override void OnEventWritten(EventWrittenEventArgs eventData)
{
...
}
}
There is also a default event listener which writes logs to a local file named "AdalTraces.log". You can control the level of tracing to that event listener using the property AdalTrace.Level
. By default, trace level for this event listener is set to "None" and to enable tracing to this particular listener, you need to set the above property. This is an example:
AdalTrace.Level = AdalTraceLevel.Informational;
If your app requires conditional access or certificate authentication (currently in preview) support, you must set up your AuthenticationContext and redirectURI to be able to talk to the Azure Authenticator app. Make sure that your Redirect URI and application's bundle id is all in lower case.
Broker is enabled on a per-authentication-context basis. It is disabled by default. You must set useBroker flag to true in PlatformParameters constructor if you wish ADAL to call to broker:
public PlatformParameters(UIViewController callerViewController, bool useBroker)
The userBroker flag setting will allow ADAL to try to call out to the broker.
Update the AppDelegate.cs file to include the override method below. This method is invoked everytime the application is launched and is used as an opportunity to process response from the Broker and complete the authentication process.
public override bool OpenUrl(UIApplication app, NSUrl url, NSDictionary options)
{
AuthenticationContinuationHelper.SetBrokerContinuationEventArgs(url);
return true;
}
ADAL uses URLs to invoke the broker and then return back to your app. To finish that round trip you need a URL scheme registered for your app. We recommend making the URL scheme fairly unique to minimize the chances of another app using the same URL scheme.
<key>CFBundleURLTypes</key>
<array>
<dict>
<key>CFBundleTypeRole</key>
<string>Editor</string>
<key>CFBundleURLName</key>
<string>com.mycompany.myapp</string>
<key>CFBundleURLSchemes</key>
<array>
<string>mytestiosapp</string>
</array>
</dict>
</array>
ADAL uses –canOpenURL: to check if the broker is installed on the device. in iOS 9 Apple locked down what schemes an application can query for. You will need to add “msauth” to the LSApplicationQueriesSchemes section of your info.plist file.
<key>LSApplicationQueriesSchemes</key>
<array>
<string>msauth</string>
</array>
This adds extra requirements on your redirect URI. Your redirect URI must be in the proper form.
<app-scheme>://<your.bundle.id>
ex: mytestiosapp://com.mycompany.myapp
This Redirect URI needs to be registered on the app portal as a valid redirect URI. Additionally a second "msauth" form needs to be registered to handle certificate authentication in Azure Authenticator.
msauth://code/<broker-redirect-uri-in-url-encoded-form>
AND
msauth://code/<broker-redirect-uri-in-url-encoded-form>/
ex: msauth://code/mytestiosapp%3A%2F%2Fcom.mycompany.myapp and msauth://code/mytestiosapp%3A%2F%2Fcom.mycompany.myapp/
You can use various tools to capture the HTTP traffic that ADAL generates. This is most useful if you are familiar with the OAuth protocol or if you need to provide diagnostic information to Microsoft or other support channels.
Fiddler is the easiest HTTP tracing tool. In order to be useful it is necessary to configure fiddler to record unencrypted SSL traffic.
NOTE: Traces generated in this way may contain highly privileged information such as access tokens, usernames and passwords. If you are using production accounts, do not share these traces with 3rd parties. If you need to supply a trace to someone in order to get support, reproduce the issue with a temporary account with usernames and passwords that you don't mind sharing.
- This project contains the source of ADAL Portable Library.
- This project contains the source of the platform specific implementation for Windows desktop.
- This project contains the source of the platform specific implementation for Windows Store.
- This project contains the source of the platform specific implementation for Core CLR (still in preview).
- This project contains the source of the platform specific implementation for Xamarin iOS.
- This project contains the source of the platform specific implementation for Xamarin Android.
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT License (the "License");
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.