Feature request: Integrated Windows Authentication without specifying username

[David-Engel]

It would be really nice, and arguably more "integrated", if applications did not need to provide the username when using the Integrated Windows Authentication flow.

Background: We (the mssql-jdbc team) are migrating from ADAL4J to MSAL4J. I think ADAL4J also requires username to be passed in but I was hoping MSAL4J would allow us to eliminate the current workaround used for our IWA auth flow on Windows where we use the native ADAL library instead of a Java implementation.

Thanks!

CC: @lilgreenbird

[navyasric]

@David-Engel Is there a specific timeline you are looking to meet for this feature?

[David-Engel]

@navyasric The JDBC Driver for SQL Server is on a 6 months GA release cadence roughly at the end of January and end of July. It would be great to have it for our next release in January, which would mean we would probably need it by December. Otherwise, it would have to catch the next release.

[navyasric]

Thank you, that is helpful information. We will keep you posted on this.

[lilgreenbird]

hi, we're wondering if there are any updates on plans to implement this feature? we are unable to move forward to use this library for integrated authentication while it still requires a username.

thanks

[Avery-Dunn]

Sorry about the delay on this, it's been sitting in our backlog for a while but we'll discuss finally picking it up and I'll give you an update when we have plan.

This is for the JDBC driver that David mentioned, right? In another comment he mentioned being on a 6 month release cadence, so just for our planning that means you'd want this feature by the end of the year (plus some time for integration testing)?

[lilgreenbird]

Yes this is for the Microsoft JDBC Driver for SQL Server.

We're currently prepping for a GA release in the next week so the next one will be approx end of Jan as @David-Engel mentioned. We will need to make some changes at our end to make use of this feature so time-wise would be good if we could get this by late fall if possible. Thanks!

[darkmastermindz]

@Avery-Dunn @lilgreenbird Any updates on this issue?

[lilgreenbird]

We (the Microsoft JDBC Driver for SQL Server) are still waiting for this. At this point this will not make it in time for the GA release in January but it would be good to get this into the next release.

[lilgreenbird]

hi, wondering if there are any updates on when this might be implemented?

We, (the Microsoft JDBC Driver for SQL Server) would like to migrate from native C++ code and move towards a purely Java solution for integrated authentication. This is the only blocker that prevents us from this.

[bgavrilMS]

We will be shipping an equivalent (but better) solution than Integrated Windows Authentication. It is based on using a broker for Windows authentication instead of a browser. The broker (WAM) has the ability to give apps a token for the current logged in user (be it Work and School or Personal account). Internally, it relies on several protocols (IWA and PRT) to achieve this, and it is more reliable.

Note that Integrated Windows Authentication requires a LOT of setup and IT departments often make changes to that setup and break it. We had countless incidents because of this.

@Avery-Dunn to provide an ETA for when the API is available and a sample

CC @siddhijain

[David-Engel]

@Avery-Dunn to provide an ETA for when the API is available and a sample

Any update on when the ETA is?

[bgavrilMS]

@Avery-Dunn - please point @David-Engel to docs / samples related to WAM.

[Avery-Dunn]

@David-Engel : Here are the docs for using WAM and MSAL Java: https://learn.microsoft.com/en-us/entra/msal/java/advanced/using-wam-and-the-msal4jbrokers-package

That page still has the information from when it was in beta, so until it's updated you can use our more informal Github wiki page that has the current API and instructions: https://github.com/AzureAD/microsoft-authentication-library-for-java/wiki/Using-Web-Account-Manager-with-MSAL-Java

Essentially, if you use our recently GA'd msal4j-brokers package you can authenticate users via WAM. When creating your PublicClientApplication you'll be able to set a broker from the msal4j-brokers package, and if you then call our existing acquireTokenSilently API without specifying an account it will try to sign in the default OS user.

[JBodkin-Amphora]

Is it possible to use WAM directly with Microsoft Active Directory Federation Services (AD FS)? Or does it need an Azure/Entra Enterprise Application?

[bgavrilMS]

@JBodkin-Amphora - no, you cannot use WAM through MSAL for this purpose. Only if the ADFS is federated through AAD.

[lilgreenbird]

hi @Avery-Dunn

I am looking into updating the Microsoft JDBC driver to use this.

The tests in the test folder still uses a user and calls getDefaultUser() from LabUserProvider to get the default OS uesr. The only example from docs I found is in .NET where there is FirstOrDefault() API to get the default OS user. I don't see this API in the PublicClientApplication class here. How can this be done in java?

[Avery-Dunn]

@lilgreenbird : That getDefaultUser() is only for testing, it is used to get some default user from our internal test environment. It has nothing to do with the default OS user that WAM can use, and is not part of the actual MSAL API

To use the default OS user check out my comment above: https://github.com/AzureAD/microsoft-authentication-library-for-java/issues/299#issuecomment-1836861531

Use the msal4j-brokers package to get the broker that uses WAM, and if you set up your public client app with the broker then a silent call will attempt to use the default OS user.