From Adal to MSAL ROPC Flow

Question

I'm in the process of migrating our .net 4.8 project to .net 6. I recently discovered that Adal is going away soon and need to replace the Adal logic with Msal in the .net 6 project. Our users are stored in Azure Active Directory. The .net 4.8 project is an Api that has Auth/Login endpoint that takes username and password(Resource Owner Password Credential Flow). They really want to keep this flow and do not want to switch to a confidential client flow. I know to enable the username and password flow, you have turn on 'Allow public client flows' in Azure portal in the Authentication blade of App Registration blade. Right now it set to 'No' for our application and I believe if we want to keep the ROPC flow this may need to be enabled. I have setup a POC project and tried to test getting an access token from Msal and passing that token to the Authorization header of the request but it doesn't seem to Authenticate my request via postman/swagger. Is possible to keep the same setup we have in .net 4.8 api project for that endpoint for .net 6 or is there some other way I need to do this? I really would like to use Msal for this because the changes seem minimal.

Answer 1

Hello @Patrick Robertson and thanks for reaching out. Migrating from ADAL to MSAL should've minimal if no impact in the Azure AD app registration. It's correct that an app must be treated as public client for ROPC flow. The obtained access token should work unless a v2 token is used to access an api that accepts v1 or the other way around, however this is most common in OBO flows where different apis have accept different token versions. If this is not your case and the issue persists, please post more detail about it, E.g. An Azure AD error code and/or debugging information: timestamp and correlation id.

Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.