question

AlexAlexon-4788 avatar image
0 Votes"
AlexAlexon-4788 asked azure-cxp-api edited

Java SDK to login to Azure using the microsoft login Id and password

Is there Java SDK exists for Azure, to login to Azure using the microsoft login Id and password (used to login in portal). I need to login programatically to Azure using these login id and password, so that i can do some operations on my storage account.

If no Java SDK, which SDK can be used ?

azure-active-directoryazure-storage-accountsazure-stack-hub
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered soumi-MSFT edited

@AlexAlexon-4788, Thank you for sharing the details, but its still not clear as what type of application is this. Is this a WebService, or its a console application that is running on your server?


When you say that your application wont have an UI, by that I am going with an assumption that its a console app and for console app you can consider the following code samples: https://github.com/Azure-Samples/ms-identity-java-desktop/tree/master/


It has two samples in it:


Username-Password-Flow


Integrated-Windows-Auth-Flow


The username-password flow can be used with any OS platforms like Linux or Windows. In this sample you would find the following section in the file UsernamePasswordFlow.java


 private final static String CLIENT_ID = "<client/app Id of the registered app in AAD>";
 private final static String AUTHORITY = "https://login.microsoftonline.com/common/";
 private final static Set<String> SCOPE = Collections.singleton("");
 private final static String USER_NAME = "<user-name>>";
 private final static String USER_PASSWORD = "<Password>";

If you see here there are two static attributes named as USER_NAME and USER_PASSWORD, so here you put the username and the password of the user who would be accessing the application and then you get an access-token issued by AAD for that user.


In the second sample "Integrated-Windows-Auth-Flow", you would only be required to add the username and using the Windows Integrated Auth i.e Kerberos and then fetching a access-token from AAD by submitting that kerberos token received earlier. In this case the users that are being used to authenticate must be synced to Azure AD via AD Connect so that same users identities can be found both on your on-prem infrastructure and in your Azure AD Tenant also.


Note: Both these samples uses MSAL4J that is the Microsoft Authentication Library for Java implementations.


Hope this helps.


In case you feel that the above assumption is not correct and you are using some other type of application, please do share the details about the type of application so that we can help further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LeonLaude avatar image
0 Votes"
LeonLaude answered

Hi,

You'll find all the available Azure SDKs over here:
https://azure.microsoft.com/en-us/downloads/

Here's the reference for the Azure SDK for Java:
https://docs.microsoft.com/en-us/java/api/overview/azure/?view=azure-java-stable


Best regards,
Leon

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered

@AlexAlexon-4788, Yeah you can use the MSAL4J library for using Microsoft Identity Platform in your JAVA application. You can find the details below:


For JAVA WebAPPs : https://github.com/Azure-Samples/ms-identity-java-webapp


For JAVA desktop applications: https://github.com/Azure-Samples/ms-identity-java-desktop/


Hope this helps.


Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlexAlexon-4788 avatar image
0 Votes"
AlexAlexon-4788 answered

Thanks @soumi-MSFT , @LeonLaude .... May be I am not clear about my question.


My application is a backend application (running on premises), which wont have any UI for the user to enter his credentials / login.


I was looking for 1) Using Java, login to my Azure account (microsoft user id + password) 2) Able to do operations on my storage account


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlexAlexon-4788 avatar image
0 Votes"
AlexAlexon-4788 answered

@soumi-MSFT , this really helped me. I was looking for the solution which is mentioned as "Username-Password-Flow".


I have created a service principal, and using "username + password + client id", i generated a token. With this token + RBAC permission for my user (as Storage Blob Contributor), I am able to do blob CURD operations with in MY account.


I want to extend this solution for multi tenant storage account. The user which I created above has provided with RBAC permission for another tenant (assume as Tenant-2) storage account (Storage account contributor, Storage blob contributor).


My assumption was, using the same token generated in the first step, I should be able to do CURD operations on Tenant-2 storage account (Since Tenant-2 has provided RBAC permissions for my user). But this doen't worked. It reports an authentication error - "Issuer validation failed. Issuer did not match".


In JWT token, the token issuer/signer was my tenant-id. Still not sure, why RBAC doen't work ?


Any suggestions, please comment,


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered

@AlexAlexon-4788, Apologies for the delay in my response. In case you want to extend the current application for other tenants, you would have to turn the app-registration for this app to multitenant app from single tenant app.


10128-multitenantoption.png


Once this app is configured as multitenant, users from other tenants would be able to access this app and authenticate to it using their tenant user IDs. Once the users from other tenant signs into this app, a service principal for this app would get created in their tenant and then on that service principal you can apply the RBAC roles. For the user authentication, it would reach out to that other tenant and fetch a token from that other tenant when the user of that tenant puts in the creds.


Points to note:


In your current application's code, where you have mentioned the authority like "https://login.microsoftonline.com/{tenant-id}" you need to modify that and put in the following "https://login.microsoft.com/common". If you are following the same sample that I have shared with you above, you would that that sample has the following variable defined: " private final static String AUTHORITY = "https://login.microsoftonline.com/common/" " in the UsernamePasswordFlow.java. This is required for the application code to behave has multitenant.


Hope this helps.


Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.