25,140 questions
Ok it's ROPC flow. No worries. Just had to dig through the docs in the right direction to find it.
I just need my registered App to validate a user, not sign them in
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 73%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECD%3C/text%3E%3C/svg%3E)
Chris Di Donna
0
Reputation points
Hi. Our needs from Entra are pretty simple. We have a website accessing Entra as a registered app and it needs to validate a user is legitimate against Entra. That's it. I don't need tokens, I don't need authorizations, I just need to throw a username and password at Entra and it comes back with a yes or no without user intervention. So far every authentication flow I've read involves a challenge response opening a browser page on Entra and that won't work with what we have got.
Some background: we need to migrate our existing user base from our SSO solution on Atlassian Crowd into an Entra User Pool (using CSVs, easy enough) and our website needs to validate the user by username and password. They are already known users. If they have to go onto Entra and do an initial login with an MFA process etc to activate their account that's fine. But from then on, we just need to site to validate them, not 'sign them in'.
The technical challenge behind this is that our desktop app talks to the website via a REST API which then does the SSO validation on the users behalf. We can't update older versions of the desktop app to talk to Entra directly and handle the challenge response flow, they can only talk directly to our web site.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
2 answers
Sort by: Most helpful
-
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator2023-11-10T08:45:09.6866667+00:00 Hi @Chris Di Donna ,
Thanks for reaching out.
Glad you are able to get the OAuth flow you are looking for.
However, The Resource Owner Password Credentials (ROPC) flow is not recommended for most scenarios, as it requires the client to collect the user's password and send it to the authorization server. This is generally considered less secure than other authentication flows, as it increases the risk of password theft and replay attacks.
This flow is also used to authenticate the user and retrieve the access token without user's intervention.
However, keep in mind that the ROPC flow has some limitations and drawbacks. For example, it does not support multi-factor authentication, and it requires the client to store the user's password, which can be a security risk. Additionally, some identity providers may not support the ROPC flow, or may restrict its use in certain scenarios.
As per your scenario, you seem to validate the user only, you can leverage Entra's Request Service REST API to issue a presentation request for a verifiable credential. This would require the user to have a verifiable credential that has been issued by a trusted issuer, such as a government ID or a driver's license. The user would need to present this credential to Entra, which would then verify the credential and return a response indicating whether the user is legitimate or not.
Reference - https://learn.microsoft.com/en-IN/entra/verified-id/verifiable-credentials-configure-tenant
Hope this will help.
Thanks,
Shweta
Please remember to "Accept Answer" if answer helped you.