如何使用 OAuth 2.0 通过 Azure Active Directory 对用户进行身份验证? [英] How to authenticate user with Azure Active Directory using OAuth 2.0?
问题描述
我有一个用 C# 编写的 REST API,我需要使用现有的 Azure AD 服务进行身份验证.我目前有希望进行身份验证的用户的用户名和密码.我需要使用 Azure AD 进行身份验证并从服务器接收访问令牌.
I have a REST API written in C# and I need to authenticate with an existing Azure AD service. I currently have the username and password of the user wishing to authenticate. I need to authenticate with Azure AD and receive an access token from the server.
有人可以向我指出一些解释如何做到这一点的文章/教程的方向吗?
Can someone please point me in the direction of some articles/tutorials that explain how to do this?
推荐答案
您应该避免处理用户凭据.收集用户凭据时存在严重的安全隐患,通过使用 OAuth 2.0 或 OpenID Connect 获取令牌而不直接处理凭据可以缓解这些问题.此外,如果您有自己的凭据收集 UI,那么如果启用多因素身份验证,您将来可能会发现登录失败.在这种情况下,可能需要比您收集的更多信息来验证用户,例如一次性密码.如果您允许 Azure AD 通过 OAuth 2.0 或 OpenID Connect 呈现身份验证体验,那么您将与所采用的特定身份验证方法隔离开来.收集用户 Azure AD 凭据是一种应尽可能避免的不良做法.
You should avoid handling the users credentials. There are serious security implications when collecting a users credentials that are mitigated by using OAuth 2.0 or OpenID Connect to get a token without directly handling the credentials. Also, if you have your own credential collection UI then you may find that sign in fails in the future if multi-factor authentication is turned on. In that case, more information may be necessary to authenticate the user than you are collecting, a one time password for instance. If you allow Azure AD to present the authentication experience via OAuth 2.0 or OpenID Connect, then you are insulated from the specific authentication method being employed. Collecting the users Azure AD credentials is a bad practice to be avoided if at all possible.
我没有关于确切场景的足够详细信息,无法确信以下示例适用,但它至少会提供一个很好的起点.此示例展示了如何创建调用 REST API 的本机应用程序,然后该 API 可以以最安全的方式调用 Azure 资源.
I don't have enough detail on the exact scenario to be confident that the following sample applies, but it will at least provide a good starting point. This sample shows how to create a native app that calls a REST API that can then call an Azure resource in the safest way possible.
https://github.com/AzureADSamples/WebAPI-OnBehalfOf-DotNet
您可以在此处找到许多其他示例,这些示例可用于为您的特定场景构建解决方案.
You can find lots of other samples here that can be used to construct a solution for your particular scenario.
https://github.com/AzureADSamples
如果您提供更多详细信息,我可以提供更具体的指导.
If you provide some more detail I can give more specific guidance.
这篇关于如何使用 OAuth 2.0 通过 Azure Active Directory 对用户进行身份验证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
