Azure是否提供任何以编程方式登录,重置密码或设备身份验证(例如AWS Cognito)的功能? [英] Does Azure provide any capability to programmatically login, reset password or device authenticate like AWS Cognito?
问题描述
我有一个Web应用程序,该应用程序在Azure AD中具有一组用户,我想通过用户名/密码针对该应用程序进行身份验证,但使用自己的样式化登录屏幕自定义解决方案,并进行类似于AWS Cognito的设备身份验证OTP/MFA.
I have a web app that has a group of users in Azure AD and I'd like to authenticate against that via username/password but customize the solution with my own styled login screen and have device authentication similar to how AWS Cognito has the OTP/MFA.
我寻求的用户流:
- 用户访问了我的网站
- 我提供了自己的登录表格
- 理论上说,表单将使用AWS Cognito提供的相同功能,以编程方式登录而无需Microsoft流或重定向
- 无论是使用Azure功能/API还是我自己的API,我都会对MFA进行设备身份验证
因此,请查看提供的流程列表:
So, looking at the list of flows provided:
我可以使用哪些流程来完成所需的工作?
What are the possible flows that I can use to accomplish what I need?
-
用户名/密码"password"只有在禁用MFA的情况下,grant才有效,因此我可以设想的一种情况是可以将其与我自己的执行MFA的代码结合在一起(并可能使用MS Authenticator).似乎也无法重置密码.
The username/password "password" grant only works if MFA is disabled, so one scenario I can envision is possible combining this with my own code that does MFA (and possibly using MS Authenticator). It also doesn't seemingly work for resetting passwords.
交互式流程是标准流程,它将显示默认的MS页面以及MFA,但它不可自定义
The interactive flow is the standard flow and would show the default MS page along with MFA but it wouldn't be customizeable
自定义流程或设备代码流程是否可能,并且仅限于B2C租户吗?
Would a custom flow be possible, or a device code flow and would this be limited to just a B2C tenant?
是否可以将Azure AD设置为联合身份并使用Cognito的方法来执行此操作?我认为不是因为身份验证需要针对原始身份提供者,并且似乎只能相反(身份验证用户可以访问Azure).
Is it possible to setup Azure AD as a federated identity and hook into Cognito's methods to do this? I assume not because authentication needs to be against the original identity provider and it seems like it can only work the reverse (a cognito user gets access to Azure).
似乎唯一可能的解决方案是将Azure的ROPC与用户名/密码密码授予API终结点结合使用,并结合我自己的设备身份验证,但这并不能解决密码重置问题,而且似乎也无法提供任何api设备身份验证方法?
It seems like the only possible solution would be using Azure's ROPC with a username/password password grant API endpoint combined with my own device authentication, but this wouldn't account for password resetting nor does it seemingly provide any api device auth methods?
预先感谢
推荐答案
Azure AD(非B2C)中的自定义登录页面目前仅限于品牌更新.但这仅在高级级别可用.
Customizing login page in Azure AD (not B2C) is currently limited to Branding update. But that is available only in Premium tier.
您可以在此处投票.
另一个选项是资源所有者密码凭据与您自己的页面配合使用,但Microsoft建议不要使用ROPC流.同样,MFA在ROPC中也无法使用.
Another option is Resource Owner Password Credentials with your own page but Microsoft recommends NOT to use ROPC flow. Also MFA would not work in ROPC.
当您说出用户名/密码"和密码"时,只有在启用了MFA的情况下,才能授予权限",不确定我是否可以遵循!你能解释一下吗?
When you said "The username/password "password" grant only works if MFA is enabled", not sure if I could follow that! Can you explain?
而且,自定义用户流仅限于B2C. https://docs.microsoft.com/azure/active-directory-b2c/
And, custom user flow is only limited to B2C. https://docs.microsoft.com/azure/active-directory-b2c/
这篇关于Azure是否提供任何以编程方式登录,重置密码或设备身份验证(例如AWS Cognito)的功能?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
