问题描述
是否可以创建一个 Azure 函数,它将用户名和密码作为输入参数,并且函数应该针对 Azure AD 验证用户.
Is it possible to create an Azure Function which will take username and password as input parameters and function should validate user against Azure AD.
推荐答案
首先,重要的是要提到收集 Azure AD 用户的用户名和密码作为应用程序(Azure 函数或 Web 应用程序)的一部分,你是开发)非常违反最佳实践,并带来多种攻击风险.因此,即使您可以使用变通方法来实现它,请务必从安全角度重新考虑您的要求.
Firstly, it's important to mention that collecting username and password for an Azure AD user as part of your application (Azure function or web app any other application you're developing) is very much against the best practices and opens up multiple attack risks. So even though you may be able to use workarounds to achieve it, please do reconsider the requirement that you have from a security standpoint.
解决方法 - ROPC - 资源所有者密码凭据授予(不推荐,多个问题)
Azure AD 不提供直接 API 来验证用户凭据.作为一种解决方法(也是一个不好的解决方法),您可以使用 Resource Owner Password Credentials (ROPC) flow,它与用户名和密码一起使用来获取令牌.
Azure AD does not provide a direct API to validate user credentials. As a workaround (and a bad one at that), you can use Resource Owner Password Credentials (ROPC) flow which works with username and password to acquire a token.
它违反了安全最佳实践,也不适用于 MFA 和联合身份验证用户.强烈建议不要使用此授权,因为它会带来潜在的攻击风险,因此不推荐.
It violates security best practices and also does not work with MFA and federated authentication users. Using this grant is highly discouraged as it brings potential attack risks, so not recommended.
如果用户名或密码不正确,你会得到一个异常,否则你会得到一个有效的令牌,这意味着凭据是好的.
If either username or password is incorrect, you will get an exception, otherwise you get back a valid token which means credentials are good.
这里有几个链接,其中包含有关 ROPC 的详细信息(建议不要同时使用它..):
Here are a couple of links that cover details on ROPC (and recommend not using it at the same time..):
- ADAL.NET 库文档关于使用用户名和密码获取令牌
- Azure AD OAuth 中的资源所有者密码凭据授予
例如,本机应用程序的代码如下所示.
For example, code would look like this for a native application.
result = await context.AcquireTokenAsync(resource, clientId, new UserPasswordCredential("john@contoso.com", johnsPassword));
其他参考资料
- 这里 是一篇旧文章,但仍然非常详细.看看最后的一长串限制.
- Here is an old article but still very detailed. And look at the long list of limitations at the end.
这篇关于通过 Azure Functions 在 Azure AD 中验证用户(验证用户名和密码)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!