Does 'UserPasswordCredential' class with plain text password secure?

Question

Hello All,

I am new to developing code with Azure API.

Currently, I am developing a Power BI web application that required a user token from a username and password.

I am just concerned about the account credential that we send via an object when calling 'AcquireTokenAsync' API as follows:

The username and password we sent are plain text.

Could someone please confirm if 'AcquireTokenAsync' API with plain text user credentials of 'UserPasswordCredential' class is secure or not?

Does it not recommend to use like this?

Class UserPasswordCredential reference: https://azuresdkdocs.blob.core.windows.net/$web/dotnet/Microsoft.Azure.Management.BotService/0.9.3-preview/api/Microsoft.IdentityModel.Clients.ActiveDirectory/Microsoft.IdentityModel.Clients.ActiveDirectory.UserPasswordCredential.html#collapsible-Microsoft_IdentityModel_Clients_ActiveDirectory_UserPasswordCredential__ctor_System_String_System_Security_SecureString_

Thank you for all of your responses and suggestions.

 

Best Regards,

Mananchaya

Answer 1

Hi @Mananchaya Ekmahachai,

Thanks for reaching out.

I understand you are trying to get the access token using UsernamePasswordCredential class.

However, it is not recommended approach as this class enable authentication using a user's username and password.

This class require high class of trust and carries risks. This class uses OAuth ROPC flow to get the access token and can be used only when other flows are not viable.

There are other alternative classes available using other OAuth flows to get the access token which are more secure.

For non-interactive call, you can use ClientSecretCredential which help to acquire the token using client secret.

Hope this will help.

Thanks,

Shweta

---

Please remember to "Accept Answer" if answer helped you.