通过Azure函数对Azure AD中的用户进行身份验证(验证用户名和密码) [英] Authenticate User In Azure AD (validate username & password) via Azure Functions
问题描述
是否可以创建一个将用户名和密码作为输入参数的Azure函数,并且该函数应根据Azure AD验证用户.
Is it possible to create an Azure Function which will take username and password as input parameters and function should validate user against Azure AD.
推荐答案
首先,重要的是要提到将Azure AD用户的用户名和密码收集为应用程序的一部分(Azure函数或Web应用程序是您正在使用的任何其他应用程序)开发)非常不利于最佳做法,并带来了多种攻击风险.因此,即使您可以使用变通办法来实现它,也请从安全角度重新考虑您的要求.
Firstly, it's important to mention that collecting username and password for an Azure AD user as part of your application (Azure function or web app any other application you're developing) is very much against the best practices and opens up multiple attack risks. So even though you may be able to use workarounds to achieve it, please do reconsider the requirement that you have from a security standpoint.
解决方法-ROPC-资源所有者密码凭证授予(不建议,多次发行)
Azure AD不提供直接API来验证用户凭据.作为一种解决方法(也是一种不好的方法),您可以使用资源所有者密码凭据(ROPC)流,该流程与用户名和密码一起使用以获取令牌.
Azure AD does not provide a direct API to validate user credentials. As a workaround (and a bad one at that), you can use Resource Owner Password Credentials (ROPC) flow which works with username and password to acquire a token.
它违反了安全性最佳做法,也不适用于MFA和联合身份验证用户.不建议使用此赠款,因为它会带来潜在的攻击风险,因此不建议使用.
It violates security best practices and also does not work with MFA and federated authentication users. Using this grant is highly discouraged as it brings potential attack risks, so not recommended.
如果用户名或密码不正确,您将得到一个例外,否则,您将获得一个有效的令牌,这表示凭据是好的.
If either username or password is incorrect, you will get an exception, otherwise you get back a valid token which means credentials are good.
这里有几个链接,涵盖了ROPC的详细信息(并建议不要同时使用它..):
Here are a couple of links that cover details on ROPC (and recommend not using it at the same time..):
- ADAL.NET library documentation on acquiring tokens with username and password
- Resource Owner Password Credentials Grant in Azure AD OAuth
例如,对于本机应用程序,代码看起来像这样.
For example, code would look like this for a native application.
result = await context.AcquireTokenAsync(resource, clientId, new UserPasswordCredential("john@contoso.com", johnsPassword));
其他参考
- 此处是一篇较旧的文章,但仍然非常详细.并查看最后的一长串限制.
- Here is an old article but still very detailed. And look at the long list of limitations at the end.
这篇关于通过Azure函数对Azure AD中的用户进行身份验证(验证用户名和密码)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
