Authenticate a client app (Azure Data Catalog REST API)
This article shows you how to authenticate a Data Catalog client app. It includes examples in C#; however, the authentication process is the same for other programming languages.
- What you need to authenticate a Data Catalog client app
- How to make a request to Data Catalog REST API using a token
- Azure Authentication Context Flow
Data Catalog client apps use Active Directory (Azure AD) to authenticate users and protect applications. Authentication is the process of identifying an app or user. To identify your client app in Azure AD, you register your app with Azure AD. When you register a client app in Azure Active Directory, you give your app access to the Data Catalog APIs. To learn how to register your Data Catalog client app, see Register a client app.
Data Catalog REST API calls are made on behalf of an authenticated user by passing a token in the "Authorization" header of the request. The token is acquired through Azure Active Directory.
What you need to authenticate a Data Catalog client app
To authenticate a Data Catalog client app and perform a REST web request, you need to:
Register your client app - To register a Data Catalog client app, see Register a client app. When you register a client app in Azure Active Directory, you give your app access to the Data Catalog APIs.
Assign the client ID for your app - To get the client ID for your app, see How to get a client app ID. The client ID is used by the application to identify themselves to the users that they are requesting permissions from.
- In your client app code, assign the clientID variable to the clientID of your Azure application.
Assign the redirect Uri - For a client app, a redirect uri gives Azure AD more details about the specific application it authenticates. A uniform resource identifier (URI) is a value to identify a name of a resource.
- In your client app code, assign the redirectUri to https://login.live.com/oauth20_desktop.srf. Since a client app does not have an external service to redirect to, this URI is the standard placeholder for client apps.
Assign the resource Uri for Data Catalog API - The resource Uri identifies the Data Catalog API resource.
- In your client app code, assign the resourceUri to
https://datacatalog.azure.com
.
- In your client app code, assign the resourceUri to
Assign the OAuth2 authority uri - The authority Uri identifies the OAuth2 authority resource.
- In your client app code, assign an authority Uri to
https://login.windows.net/common/oauth2/authorize
.
- In your client app code, assign an authority Uri to
To make a data request to the Data Catalog REST service, you need to supply an access token. In a .NET client app, you use the Microsoft Authentication Library (MSAL) to get an access token.
Important
To authenticate a client app, you must add a reference to Microsoft.Identity.Client
, which is included in the Microsoft Authentication Library (MSAL). If your app still uses ADAL, migrate it to MSAL. For more information, see differences between ADAL.NET and MSAL.NET apps.
Install-Package Microsoft.Identity.Client -Version 4.48.1
Steps to get an access token
Acquiring an access token using MSAL depends on whether you are building a public client or confidential client application. Refer to the following steps to acquire an access token for your scenario:
- Acquire access token for a public client app.
- Acquire an access token for a confidential client app
If you have a Data catalog that is still using the deprecated ADAL library, migrate your app from ADAL to MSAL.
Make a request to Data Catalog REST API using a token
After you get an access token from Active Directory (Azure AD), you use the token to make a web request to the Data Catalog REST API. To create a Data Catalog REST web request, you add an access token to a request header. For example, in a .NET app, add the
HttpWebRequest request = System.Net.WebRequest.Create(apiUrl) as System.Net.HttpWebRequest;
...
string authHeader = authResult.CreateAuthorizationHeader();
request.Headers.Add("Authorization", authHeader);
Azure Authentication Context Flow
In a .NET client app, you use AuthenticationContext to acquire an Azure access token. AuthenticationContext is the main class representing the token issuing authority for Azure AD resources. AuthenticationContext does the following:
- AuthenticationContext starts the flow by redirecting the user agent to the Azure Active Directory authorization endpoint. The user authenticates and consents, if consent is required.
- The Azure Active Directory authorization endpoint redirects the user agent back to the AuthenticationContext with an authorization code. The user agent returns an authorization code to the client application’s redirect URI.
- The AuthenticationContext requests an access token from the Azure Active Directory token issuance endpoint. It presents the authorization code to prove that the user has consented.
- The Azure Active Directory token issuance endpoint returns an access token.
- The client application uses the access token to authenticate to the Web API.
- After authenticating the client application, the Data Catalog REST API returns the requested data.
To learn more about Azure Active Directory (Azure AD) authorization flow, see Authorization Code Grant Flow.