MATLAB: How to obtain Azure AD tokens in MATLAB R2020b

MATLAB

I want to interact with services hosted on my company's Microsoft Azure environment. These services requires me to include an Azure AD token in the header when calling a RESTful service or I need to use the Azure AD token as the password when for example connecting to a MySQL or PostrgreSQL database. I can obtain these tokens through the Azure console (i.e. use "az login" followed by "az account get-access-token …") and once I have the token and paste it into MATLAB I can then indeed also successfully interact with the services which I want to work with from MATLAB (through functions like "webwrite", "database", etc.). My question is now though whether these tokens can be obtained inside MATLAB directly?

Best Answer

It is indeed possible to obtain these tokens inside MATLAB directly, depending on your exact use-case this may still involve pop-ups though in which you still do need to interactively login to your Azure account or in some cases the flow can be entirely non-interactively.

Prerequisites on the Azure end

For this to work, first of all you need an App registration in your Azure directory; you may already have one for the service which you want to interact with and you can then reuse this or you can register a new App specifically for MATLAB and grant it the correct API Permissions to interact with the actual Azure service(s) you want to interact with. Further, you now need to decide whether you want/can interact with your service on behalf of a specific user (which requires at least one interactive sign-in) or on behalf of the application itself (which can be entirely silently). In either case make sure your App is configured to support "Mobile and desktop applications" Authentication and:

1. If you will be acting on behalf of specific users make sure you add/enable the following Redirect URI:

https://login.microsoftonline.com/common/oauth2/nativeclient

2. If you will be interacting on behalf of the application itself, create a "Client secret" for MATLAB and note it down.

Obtaining the token in MATLAB

We will again be differentiating between obtaining a token for a user or for the application.

User Token

Obtaining a token for a user involves an interactive authentication flow in which you may need to interactively login in a browser window. And the easiest ways to complete this authentication flow is to make use of one of the MSAL libraries provided by Microsoft. We show two options here .NET based MSAL.NET and Java based MSAL4J.

.NET Based MSAL.NET (in MATLAB only supported on Windows)

1. First of all you will need the actual MSAL.NET libraries. You can download the latest NuGet package using the "Download package" link on the right on:

https://www.nuget.org/packages/Microsoft.Identity.Client

You can extract the downloaded package as a ZIP-file and then inside the "lib\net45" directory you should find "Microsoft.Identity.Client.dll" which should be compatible with MATLAB. Copy it somewhere where you can easily access it from MATLAB.

2. Load the downloaded Assembly in MATLAB using NET.addAssembly, this requires a full path to the Assembly, for example:

NET.addAssembly('c:\full\path\to\Microsoft.Identity.Client.dll')

Or if the Assembly is inside your current working directory inside MATLAB you can for example use:

NET.addAssembly(fullfile(pwd,'Microsoft.Identity.Client.dll'))

3. Now you can use this Assembly to create a PublicClientApplicationBuilder:

%% Fill in your Azure AD Tenant ID and the App ID of the App you

% created/work with for MATLAB

tenantId = '';
appId = '';
%% Then create an PublicClientApplicationBuilder

app = Microsoft.Identity.Client.PublicClientApplicationBuilder.Create(appId)...
    .WithAuthority(Microsoft.Identity.Client.AzureCloudInstance.AzurePublic,tenantId)...
    .WithRedirectUri('https://login.microsoftonline.com/common/oauth2/nativeclient')...
    .Build();

4. Then you will need to define which scopes you want to request access for. Which scopes you will need to request access for depends on the services you want to interact with, consult the Azure documentation of the services you want to work with to learn more:

% Start with creating a list of Scopes

scopes = NET.createGeneric('System.Collections.Generic.List',{'System.String'});
% Add actual Scopes to them, for example

scopes.Add('https://graph.microsoft.com/.default')

5. Finally, actually show the dialog in which you can login and grant access for these scopes and obtain the returned token:

% Show the interactive dialog in which the user can login
tokenAcquirer = app.AcquireTokenInteractive(scopes);
result = tokenAcquirer.ExecuteAsync;
% Retrieve the returned token

token = char(result.Result.AccessToken);

You should now have the token you need in order to be able to interact with Azure services on behalf of the user who logged in in the interactive dialog.

Java Based MSAL4J (supported on all MATLAB platforms)

1. First of all you will need the MSAL4J libraries (and its dependencies). It does not appear that there is a direct download available of a package including all dependencies. Microsoft provides a Maven package though. See the following related article which shows how you can download a Maven package including all its dependencies for easy usage inside MATLAB:

https://www.mathworks.com/matlabcentral/answers/713843-can-i-load-java-classes-into-matlab-r2020b-using-maven

2. Once you have obtained your self-contained JAR-file, add it to your static Java classpath in MATLAB. I.e. open javaclasspath.txt in your MATLAB preferences directory in the MATLAB Editor using:

edit(fullfile(prefdir,'javaclasspath.txt'))

Then add a line:

c:\full\path\to\your\msal4j-X.Y.Z-jar-with-dependencies.jar

Save the file and then restart MATLAB.

3. Now you can use the package to create a PublicClientApplicationBuilder:

%% Fill in your Azure AD Tenant ID and the App ID of the App you
% created/work with for MATLAB
tenantId = '';
appId = '';
%% Then create an PublicClientApplicationBuilder
app = com.microsoft.aad.msal4j.PublicClientApplication.builder(appId)...
  .authority(['https://login.microsoftonline.com/' tenantId])...
  .build();

% Create an empty set

scopes = java.util.HashSet;
% Add the desired scopes to it one-by-one

scopes.add('https://graph.microsoft.com/.default');

5. Finally, actually show the system web browser in which you can login and grant access for these scopes and obtain the returned token:

params = com.microsoft.aad.msal4j.InteractiveRequestParameters.builder(java.net.URI('http://localhost'))...
    .scopes(scopes).build();
tokenAcquirer = app.acquireToken(params);
result = tokenAcquirer.join;
token = char(result.accessToken);

You should now have the token you need in order to be able to interact with Azure services on behalf of the user who logged in in the web browser.

Application Token

For this approach we present three options, a simple RESTful call can suffice here to obtain the token which can easily be performed with MATLAB's "webwrite" function without any further dependencies on external libraries, but we also show the MSAL.NET and MSAL4J approaches.

RESTful approach (available in MATLAB on all supported platforms without any third-party libraries)

This really just needs one relatively simple call to "webwrite":

%% Fill in your Azure AD Tenant ID, the App ID and Client Secret


tenantId = '';
appId = '';
clientSecret = '';
%% Perform request using webwrite
response = webwrite(['https://login.microsoftonline.com/' tenantId '/oauth2/v2.0/token'],...
    'client_id',appId,...
    'client_secret',clientSecret,...
    'scope','https://graph.microsoft.com/.default',...
    'grant_type','client_credentials');
token = response.access_token;

Where you may only have to change the scope which you want to request access to.

.NET Based MSAL.NET (in MATLAB only supported on Windows)

1-2. The first two steps are exactly the same as for the User Based MSAL.NET approach, see above.

3. Now you can use this Assembly to create a PublicClientApplicationBuilder WithClientSecret:

%% Fill in your Azure AD Tenant ID, the App ID and Client Secret
tenantId = '';
appId = '';
clientSecret = '';
%% Then create an PublicClientApplicationBuilder - WithClientSecret
app = Microsoft.Identity.Client.ConfidentialClientApplicationBuilder.Create(appId)...
    .WithAuthority(Microsoft.Identity.Client.AzureCloudInstance.AzurePublic,tenantId)...
    .WithClientSecret(clientSecret)...
    .Build();

4. Defining the lists of scopes is the same again as in the User based approach:

% Start with creating a list of Scopes
scopes = NET.createGeneric('System.Collections.Generic.List',{'System.String'});
% Add actual Scopes to them, for example
scopes.Add('https://graph.microsoft.com/.default')

5. Obtain the token using a non-interactive call:

% Obtain the token, this worfklow is entirely non-interactive
tokenAcquirer = app.AcquireTokenForClient(scopes);
result = tokenAcquirer.ExecuteAsync;
% Retrieve the returned token
token = char(result.Result.AccessToken);

You should now have the token which allows you to interact with your services on behalf of the application.

Java Based MSAL4J (supported on all MATLAB platforms)

1-2. The first two steps are exactly the same as for the User based MSAL4J approach, see above.

3. Now you can use the package to create a ConfidentialClientApplication:

%% Fill in your Azure AD Tenant ID, the App ID and Client Secret
tenantId = '';
appId = '';
clientSecret = '';
%% Create the ConfidentialClientApplication
clientCred = com.microsoft.aad.msal4j.ClientCredentialFactory.createFromSecret(clientSecret);
app = com.microsoft.aad.msal4j.ConfidentialClientApplication.builder(appId,clientCred)...
  .authority(['https://login.microsoftonline.com/' tenantId])...
  .build();

4. Defining the scopes is exactly the same as in the User approach:

% Create an empty set
scopes = java.util.HashSet;
% Add the desired scopes to it one-by-one
scopes.add('https://graph.microsoft.com/.default');

5. Now actually obtain the token using a completely non-interactive flow:

params = com.microsoft.aad.msal4j.ClientCredentialParameters.builder(scopes).build;
tokenAcquirer = app.acquireToken(params);
result = tokenAcquirer.join;
token = char(result.accessToken);

You should now have a token which allows you to interact with your Azure services on behalf of the application.

Related Solutions

MATLAB: How to form a oauth2 password-grant request using webwrite [grant_type = “password” ]

I would look into the link below which forms an oauth2 for google api:

https://www.mathworks.com/matlabcentral/answers/264403-how-can-i-access-an-api-which-requires-oauth-2-0-authorization-such-as-google-apis

The above link shows how the request is formed to construct a weboptions object.

MATLAB: How to integrate MATLAB Production Server with an Oracle Database

Introduction

Through the MPS Java client classes and the server-side Java capabilities of Oracle it is definitely possible to call MPS from such a TRIGGER. A practical step-by-step example is shown below but before you follow these steps you my want to learn more about these two interfaces at:

https://www.mathworks.com/help/mps/java-client-programming.html

https://docs.oracle.com/cd/B28359_01/java.111/b31225/chone.htm

Step-by-step Example

In this example we will deploy a simple MATLAB function which multiplies its input by two to a MPS. We will then configure an Oracle Server in such a way that whenever data is inserted into |MYTABLE1| a TRIGGER is executed which will call this MPS function to compute the doubled value of the inserted data and which will insert the result into |MYTABLE2|.

MATLAB

Use the "Production Server Compiler App" to compile the following MATLAB function:

function y = timestwo(x)
    y = 2 * x;

Into an CTF-archive called OracleExample.ctf.

MPS

Create a new server instance using |mps-new| and make sure the configuration is correct with regards to the MCR location. The rest of this guide assumes all other configuration options were left at their default options meaning that port 9910 is used. Further we will assume that the MPS server and the Oracle Server are located on the same machine so we can work with |localhost| as MPS hostname. Then start the instance using |mps-start|. Now copy |OracleExample.ctf| into its |auto_deploy| directory.

Java

To verify that the MPS server is running correctly, implement the following Java class in a file named |MPSClient.java|:

import com.mathworks.mps.client.MATLABException;
import com.mathworks.mps.client.MWClient;
import com.mathworks.mps.client.MWHttpClient;
 
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
 
public class MPSClient {
    /**
     * Interface for the OracleExample CTF archive
     */
    public interface IOracleExample {
        public double timestwo(double x) throws IOException, MATLABException;
    }
 
    /**
     * Main method to allow testing the server from a standalone Java Application.
     * @param args
     */
    public static void main(String[] args) {
        System.out.println(doTimesTwo(3.14));
    }
 
    /**
     * Method which actually calls the MPS Server.
     * @param x the input to be multiplied by two.
     * @return the result.
     */
    public static double doTimesTwo(double x) {
        MWClient client = new MWHttpClient();
        try {
            // Create a proxy object
            IOracleExample obj = client.createProxy(
                    new URL("http://localhost:9910/OracleExample"),
                    IOracleExample.class);
            // Call the timestwo function on the server
            return obj.timestwo(x);
        } catch (MalformedURLException e) {
            e.printStackTrace();
        } catch (MATLABException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        }
        return 0;
    }
}

Copy |mps_client.jar| into the same directory as this |MPSClient.java|. Then compile the application using:

javac -classpath mps_client.jar MPSClient.java

And run it using:

java -classpath .;mps_client.jar MPSClient

Which should produce the output:

6.28

Oracle Server

We can use this same Java class on the Oracle Server. Before we can do that however we need to make sure that |mps_client.jar| is loaded in the server. This can be done with the |loadjava| commandline tool which is shipped with Oracle server:

loadjava mps_client.jar -user system/myPassword@myDatabase

(Where you need to replace myPassword

and myDatabase with your actual password and database name.)

Once this has been loaded the custom class can be loaded into the database:

loadjava MPSClient.java -user system/myPassword@myDatabase

Then to make the class callable from SQL commands you will need to define a so called call specification. This is done through the following SQL command:

CREATE OR REPLACE FUNCTION MPSFUNCTION (X IN NUMBER) RETURN NUMBER AS LANGUAGE JAVA NAME 'MPSClient.doTimesTwo(double) return double';

Further the user which is going to execute this function will need to have permissions to access external hosts. In this example we assume that the SYSTEM

user will run the function and that the MPS server is localhost:9910 so we can run the following SQL command to grant the necessary permission:

BEGIN dbms_java.grant_permission( 'SYSTEM', 'SYS:java.net.SocketPermission', 'localhost:9910','connect,resolve' ); END;

With the following SQL commands we can create two new tables MYTABLE1

and MYTABLE2

both with a single column col1 which contains numeric data:

CREATE TABLE "SYSTEM"."MYTABLE1" ("COL1" NUMBER);
CREATE TABLE "SYSTEM"."MYTABLE2" ("COL1" NUMBER);

Now we can create a trigger on MYTABLE1

such that whenever data gets inserted into it, we call the timestwo

function on the MPS server and store the result in MYTABLE2:

CREATE OR REPLACE TRIGGER MPSTRIGGER AFTER INSERT ON MYTABLE1 FOR EACH ROW BEGIN INSERT INTO MYTABLE2 (col1) VALUES (MPSFUNCTION(:new.col1)); END;

If everything is working correctly, when we now insert data into MYTABLE1:

INSERT INTO TABLE MYTABLE1 (col1) VALUES(21)

We should automatically see the doubled values appearing in MYTABLE2:

SELECT * FROM MYTABLE2

Which should show the value |42| in |col1| of |MYTABLE2|.

Attachments

The code used in this example is attached below. This attachment also contains a MATLAB-file RunExample.m which uses Database Toolbox to connect to the Oracle Database and which can automatically perform all the SQL queries given above and if MATLAB is installed on the same machine as the Oracle Server load the JAR-files into the server. Note that you will need to update this script with the correct usernames, passwords and database names and hostnames. Also it assumes that the Oracle JDBC-driver has already been loaded.

Best Answer

.NET Based MSAL.NET (in MATLAB only supported on Windows)

Java Based MSAL4J (supported on all MATLAB platforms)

RESTful approach (available in MATLAB on all supported platforms without any third-party libraries)

.NET Based MSAL.NET (in MATLAB only supported on Windows)

Java Based MSAL4J (supported on all MATLAB platforms)

Related Solutions

MATLAB: How to form a oauth2 password-grant request using webwrite [grant_type = “password” ]

MATLAB: How to integrate MATLAB Production Server with an Oracle Database

Related Question