Device profile for devices without web browsers
The Device Code Flow is a flow enabling text-only devices to participate in the authentication dance with Azure AD and all the power it brings despite their limitations. This is only for devices that don't offer an interactive authentication (web) experience. The principle is that the application will share with the user a code and the URL where s/he'll sign-in using another device enabling web interaction, then the application will wait until it gets confirmation from the STS that the user has indeed signed-in before requesting a token. To use it, the application leverages two APIs. Here are the details for ADAL.NET.
In ADAL.NET this flow is available for .NET Framework, .NET Core, OSX, Linux, and Android (for iOTs). It's not available for iOS (in other words, a warning will be issued by the compiler with an explanation if it's used in a Xamarin iOS application).
The flow is the following:
- The application calls one of the overrides of
AcquireDeviceCodeAsync, which interacts with the STS to provide aDeviceCodeResult.
- The application then displays to the user the content of the
Messageproperty of theDeviceCodeResult. This message tells the user to go to the URL of a web site where s/he will need to provide this code and sign-in with a web enabled device (other than the device running the application as this is a text only device). - The application then executes
AcquireTokenByDeviceCodeAsyncwhich waits until the user has signed-in with the other web enabled device. At this time, the STS will return the token (theAuthenticationResult) - Since
AcquireDeviceCodeAsyncdoes not check the token Cache (see documentation) you might want to consider calling AcquireTokenSilentAsync first, which will return the cached token
static async Task<AuthenticationResult> GetTokenViaCode(AuthenticationContext ctx)
{
AuthenticationResult result = null;
try
{
result = await ac.AcquireTokenSilentAsync(resource, clientId);
}
catch (AdalException adalException)
{
if (adalException.ErrorCode == AdalError.FailedToAcquireTokenSilently
|| adalException.ErrorCode == AdalError.InteractionRequired)
{
try
{
DeviceCodeResult codeResult = await ctx.AcquireDeviceCodeAsync(resource, clientId);
Console.WriteLine("You need to sign in.");
Console.WriteLine("Message: " + codeResult.Message + "\n");
result = await ctx.AcquireTokenByDeviceCodeAsync(codeResult);
}
catch (Exception exc)
{
Console.WriteLine("Something went wrong.");
Console.WriteLine("Message: " + exc.Message + "\n");
}
}
return result;
}This code is extracted from the sample below (method GetTokenViaCode, from the app root class Program in program.cs)
| Sample | Platform | Description |
|---|---|---|
| active-directory-dotnet-deviceprofile | Desktop (.NET Core 2.0) | This sample demonstrates how to leverage ADAL .NET to authenticate user calls to a web API (in this case, the directory Graph) from apps that do not have the capability of offering an interactive authentication experience. 
|