Share via

Native C++ authentication with browser against Azure AD

balikamca 0 Reputation points
2023-05-12T07:27:23.93+00:00

I have a native C++ application and I need to authenticate users against Azure Active Directory. After authentication I will query if the user belongs to a specific group/application...

What I want to achieve is similar to 'Connect-AzAccount' command of Powershell.(see the picture)

When you type 'Connect-AzAccount', a popup browser appears and you select/enter your account credentials. That type of authentication flow would be best because username and password issues are delegated to browser. If only I can get the authentication result (success/error & token) in a structured way (like json), the rest will be simple.

User's image

/*
      Similar to system() call, instead we can read outputs of the call instead of 'int' return type.
      This function is used to read contents of powershell.exe command calls
    */
    std::string exec(const char* cmd) {
        char buffer[128];
        std::string result = "";
        FILE* pipe = _popen(cmd, "r");
        if (!pipe) throw std::runtime_error("popen() failed!");
        try {
            while (fgets(buffer, sizeof buffer, pipe) != NULL) 
                result += buffer;
            
        } catch (...) {
            _pclose(pipe);
            throw;
        }
        _pclose(pipe);
        return result;
    }
    int main()
    {
        // Call powershell with the specified commands
        string result = exec("powershell.exe Connect-AzAccount");
        result = exec("powershell.exe Get-AzAccessToken");
        // result includes token (and additional useless string)
        return 0;
    }

Since I need to parse & clear the result of powershell cmd calls, this method is not elegant but it demonstrates similar functionality.

Regarding I'm using native C++ and I have a console application:

  • How can I achieve same functionality by sticking native C++?
  • What is the name of getting credentials with that popup style? How should I search it? (Is it WAM - Web Account Manager?)
  • Which API/libraries provide that functionality to my native console application?
  • If it is not possible with C++ way, what would be the best alternative? Can I call PowerShell or any alternative to authenticate and get structured response?
Windows for business Windows Client for IT Pros Directory services Active Directory
Developer technologies C++
Microsoft Security Microsoft Entra Other

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akshay-MSFT 17,951 Reputation points Microsoft Employee Moderator
    2023-05-18T11:17:21.2066667+00:00

    @balikamca

    Thanks for your time and patience, PFB answer to your queries :

    • What is the name of getting credentials with that popup style? How should I search it? (Is it WAM - Web Account Manager) ?

    prompt Indicates the type of user interaction that is required.

    Valid values are login, none, consent, and select_account.

    prompt=login forces the user to enter their credentials on that request, negating single-sign on.

    prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error.

    prompt=consent triggers the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app.

    prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.

    • Which API/libraries provide that functionality to my native console application?

    You need to integrate the app with Azure SDK for C++ library and could follow Microsoft identity platform and OAuth 2.0 authorization code flow

    • If it is not possible with C++ way, what would be the best alternative? Can I call PowerShell or any alternative to authenticate and get structured response?

    Even the PowerShell module is built using same prompt.

    Please do let me know if you have any further queries.

    Thanks,

    Akshay Kaushik

    Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

  2. Bruce (SqlWork.com) 77,686 Reputation points Volunteer Moderator
    2023-10-22T00:46:36.4766667+00:00

    Conceptually, the login is as follows

    the command tool opens a port for az ad to redirect to

    the tool opens the browser (or webview if gui) with the proper azure ad login url passing your apps port as a reply url.

    the user logins in via the browser. After successful login the azure server redirects to your apps url with a code.

    The tools responds to the redirect and get the code from the url

    the tool use the code to get an id and access token calling graph api.

    see:

    https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-app-types#mobile-and-native-apps

    use the c++ sdk and samples mentioned above.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.