[Feature Request] Support ROPC flow for Confidential Client

[akulyakhtin]

The protocol defines ROPC flow for Confidential Client:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

MSAL4J does not support this. However, other MSAL libraries such as MSAL for Python do support this.

There is a disclaimer that the reason it's not implemented is because ROPC is, in general, not recommended. However, other MSAL libraries do support this. Therefore MSAL4J demonstrates inconsistency.
More importantly, MSAL4J thus does not implement one of the possible scenarios defined by the protocol.

Another argument is that, currently, to enable ROPC flow we have to switch on 'Enable Public Flow' in the Azure AD App settings even if our application is not, in its nature, public. With ROPC for Confidental Client supported we won't need to switch 'Enable Public Flow' for confidential clients using ROPC.

Implementing this seems to be very straightforward. It's moving acquireToken(UserNamePasswordParameters) into AbstractClientApplcationBase and, correspondingly, into IClientApplicationBase.

This has already been done for MSAL for Python. (AzureAD/microsoft-authentication-library-for-python#344)

[bgavrilMS]

Hi @akulyakhtin - what is the scenario requiring ROPC ? Confidential clients (web apps, web apis) should use client_credentials flow to acquire a token based on a secret / certificate, on behalf of a service principal.

[akulyakhtin]

Hi @bgavrilMS, thank you for your reply. The scenario has been described in this thread for MSAL Python (and ROPC for Confidential Flow has been implemented in MSAL for Python following the discussion)
AzureAD/microsoft-authentication-library-for-python#294

Our app is a desktop app which is testing an API server. We would like the application to have the identity of a user because we are testing as if the user accesses those APIs.

At the same tme we do not want to use Public Flow because our application is a Java application running on a server.

[akulyakhtin]

Please. consider the patch:
https://gist.github.com/akulyakhtin/129d0dc9d3777e500efa3f204c1796bc

[akulyakhtin]

Hi @bgavrilMS, the throttling issue could be avoided for ROPC if ROPC would be allowed for confidential clients, since ThrottlingCache is only used for public clients.

This might be considered instead of decreasing the timeout as proposed in our current PR.

The MSAL Python library (and maybe others) does support ROPC for confidential clients.

[bgavrilMS]

Agreed @akulyakhtin - we do have it on our backlog to add ROPC for confidential clint for all MSALs. Currently only MSAL PY supports this.

Let me add it on the project board. The team is busy with Managed Identity, but hopefully will be able to pick this up in the next few months.

[olegbaslak]

Hello @bgavrilMS,

We're having the same need to pass client_secret along with username and password using a confidential client.

Have the team refined and prioritized that issue already?

[bgavrilMS]

Hi @olegbaslak - it's on the backlog, but we do not expect to get to this in the next 2-3 months and I cannot provide an estimate.

Why do you need ROPC over Confidential Client?

[olegbaslak]

@bgavrilMS we need to pass all params to acquire an access token: client_id, client_secret, username, password using "password" grant_type, which is not possible with the current lib implementation (or I didn't find how to achieve this).

[bgavrilMS]

Duplicate of #261