Initiate Azure AD v2 Authentication Request

Q

How to initiate Azure AD v2.0 Sign-On Authentication Request?

✍: FYIcenter.com

A

The Azure AD v2.0 Sign-On Authentication Request must be initiated from the end user's Web browser, because the Azure AD service needs to communicate with the Web browser to make sure that the end user is signed on to an AD (Active Directory) and has a valid browser session.

There are a number of options to initiate Azure AD v2.0 Sign-On Authentication Request:

1. Using HTML "form" POST method to let the end user submit the request. All request parameters are coded as hidden form variables. For example:

<p>Please click the button flow to sign-on:</p>
<form method="POST" 
   action="https://login.microsoftonline.com/common/oauth2/v2.0/authorize">
<input type="hidden" name="client_id"
   value="bd51d56c-e744-4a58-91e1-9afd0d7e821c">
...
<input type="Submit" name="Submit" value="Sign-On">
</form>

The main risk of this option is that your end user can view HTML source to see your "client_id" value and other request parameters.

2. Using HTML "form" GET method to let the end user submit the request. All request parameters are coded as hidden form variables. For example:

<p>Please click the button flow to sign-on:</p>
<form method="GET" 
   action="https://login.microsoftonline.com/common/oauth2/v2.0/authorize">
<input type="hidden" name="client_id"
   value="bd51d56c-e744-4a58-91e1-9afd0d7e821c">
...
<input type="Submit" name="Submit" value="Sign-On">
</form>

This option is not as good as the first option, because all parameters show up in the browser's Web address area for a short period of time before Azure AD service redirects the browser to the sign-on page or your application page.

Note that all parameters may stay in the browser's Web address area for a long time if there is any issue with your authentication request.

3. Use a server side script to return a HTTP 302 redirect response. All request parameters are coded as the query string of the redirect URL. For example:

In the HTML document: 
<p>Click hereto sign-on</p>

In the service side script, Azure-AD-Redirect.php:
$url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize".
   "?client_id=bd51d56c-e744-4a58-91e1-9afd0d7e821c".
   "&...";
header("Location: $url");

When the Web receives the HTTP 302 redirect response, it will automatically call the URL given in the "Location" response header.

This option is does not leave your client_id value in the HTML source code. But all parameters show up in the browser's Web address area for a short period of time before Azure AD redirects the browser the sign-on page or your application page.

Note that all parameters may stay in the browser's Web address area for a long time if there is any issue with your authentication request.

Compare to other options, option 3 might be the best option.

 

Process Azure AD v2 Authentication Request

Azure AD v2 Sign-On Authentication Request

Azure AD Integration v2.0

⇑⇑ OpenID Tutorials

2019-05-03, 199👍, 0💬