Azure Active Directory Authentication Libraries

The Azure Active Directory Authentication Library (ADAL) enables client application developers to easily authenticate users to cloud or on-premises Active Directory (AD), and obtain access tokens for securing API calls. ADAL makes authentication easier for developers through features such as:

  • support for asynchronous method calls
  • a configurable token cache that stores access tokens and refresh tokens
  • automatic token refresh when an access token expires and a refresh token is available
  • and more

By handling most of the complexity, ADAL helps developers focus on business logic and easily secure resources, without being an expert in security.

ADAL is available on a variety of platforms.

Client Libraries

Platform Library Download Source Code Sample Reference
.NET Client, Windows Store, UWP, Xamarin iOS and Android MSAL for .NET (preview) NuGet GitHub Desktop app Reference
JavaScript MSAL for JavaScript (preview) GitHub GitHub Single Page App Reference
iOS MSAL for iOS (preview) GitHub GitHub iOS app Reference
Android MSAL for Android (preview) GitHub GitHub Android app Reference
.NET Client, Windows Store, UWP, Xamarin iOS and Android ADAL .NET v3 NuGet GitHub Desktop app Reference
.NET Client, Windows Store, Windows Phone 8.1 ADAL .NET v2 NuGet GitHub Desktop app
JavaScript ADAL.js GitHub GitHub Single Page App
iOS, macOS ADAL GitHub GitHub iOS app Reference
Android ADAL The Central Repository GitHub Android app JavaDocs
Node.js ADAL npm GitHub
Java ADAL4J GitHub GitHub Java web app
Python ADAL GitHub GitHub

Server Libraries

Platform Library Download Source Code Sample Reference
.NET OWIN for AzureAD NuGet CodePlex MVC App
.NET OWIN for OpenIDConnect NuGet CodePlex Web App
Node.js Azure AD Passport npm GitHub Web API
.NET OWIN for WS-Federation NuGet CodePlex MVC Web App
.NET Identity Protocol Extensions for .NET 4.5 NuGet GitHub
.NET JWT Handler for .NET 4.5 NuGet GitHub

Scenarios

Here are three common scenarios in which ADAL can be used for authenticating a client that accesses a remote resource:

Authenticating users of a native client application running on a device

In this scenario, a developer has a WPF client application, that needs to access a remote resource secured by Azure AD, such as a web API. He has an Azure subscription, knows how to invoke the downstream web API, and knows the Azure AD tenant that the web API uses. As a result, he can use ADAL to facilitate authentication with Azure AD, either by fully delegating the authentication experience to ADAL or by explicitly handling user credentials. ADAL makes it easy to authenticate the user, obtain an access token and refresh token from Azure AD, and then use the access token to make requests to the web API.

For a code sample that demonstrates this scenario using authentication to Azure AD, see Native Client WPF Application to Web API.

Authenticating a confidential client application running on a web server

In this scenario, a developer has an application running on a server that needs to access a remote resource secured by Azure AD, such as a web API. He has an Azure subscription, knows how to invoke the downstream service, and knows the Azure AD tenant the web API uses. As a result, he can use ADAL to facilitate authentication with Azure AD by explicitly handling the application’s credentials. ADAL makes it easy to retrieve a token from Azure AD by using the application’s client credential and then use that token to make requests to the web API. ADAL also handles managing the lifetime of the access token by caching it and renewing it as necessary. For a code sample that demonstrates this scenario, see Daemon console Application to Web API.

Authenticating a confidential client application running on a server, on behalf of a user

In this scenario, a developer has an application running on a server that needs to access a remote resource secured by Azure AD, such as a web API. The request also needs to be made on behalf of an Azure AD user. He has an Azure subscription, knows how to invoke the downstream web API, and knows the Azure AD tenant the service uses. Once the user is authenticated to the web application, the application can get an authorization code for the user from Azure AD. The web application can then use ADAL to obtain an access token and refresh token on behalf of a user using the authorization code and client credentials associated with the application from Azure AD. Once the web application is in possession of the access token, it can call the web API until the token expires. When the token expires, the web application can use ADAL to get a new access token by using the refresh token that was previously received. For a code sample that demonstrates this scenario, see Native client to Web API to Web API.

See Also