Azure AD AcquireToken 不适用于应用密码

Azure AD AcquireToken does not work with app password(Azure AD AcquireToken 不适用于应用密码)
本文介绍了Azure AD AcquireToken 不适用于应用密码的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!

问题描述

我正在尝试使用 .NET ADAL 库验证 Azure AD 中的用户密码.这适用于没有 MFA 的普通用户帐户,但我遇到了为已激活 MFA 的用户执行此操作的问题.

I'm trying to verify a user's password in Azure AD using the .NET ADAL library. This works fine for a regular user account without MFA, but I ran into problems doing this for a user who has MFA activated.

当使用用户的实际密码时,我得到了 AADSTS50076: Application password is required.,这很公平,但是当我创建一个新的应用程序密码时,我收到了错误 AADSTS70002: 验证凭据时出错.AADSTS50020:用户名或密码无效.我已经创建了多个应用密码,但它们都不起作用.

When using the user's actual password, I got AADSTS50076: Application password is required., which is fair enough, but when I then created a new app password, I received the error AADSTS70002: Error validating credentials. AADSTS50020: Invalid username or password. I've created multiple app passwords but they all do not work.

用于尝试验证的代码如下:

The code used to attempt authentication is as follows:

var ac = new AuthenticationContext("https://login.windows.net/my-tenant.com");
var authResult = ac.AcquireToken("https://graph.windows.net", "my-client-id", new UserCredential("my.account@my-tenant.com", "my-password"));

尝试进行身份验证的用户是此 AD 中的全局管理员.

The user that is trying to authenticate is a Global Admin in this AD.

是否甚至可以为具有 MFA 的用户进行这样的身份验证?

Is it even possible to do authentication like this for a user with MFA?

推荐答案

所以,为了回答我自己的问题,我采取了以下措施(为简洁起见):

So, to answer my own question somewhat, I resorted to doing the following (cleaned up for brevity):

public class AzureAdAuthenticationProvider
{
    private const string AppPasswordRequiredErrorCode = "50076";
    private const string AuthorityFormatString = "https://login.windows.net/{0}";
    private const string GraphResource = "https://graph.windows.net";

    private AuthenticationContext _authContext;
    private string _clientId;

    public AzureAdAuthenticationProvider()
    {
        var tenantId = "..."; // Get from configuration

        _authContext = new AuthenticationContext(string.Format(AuthorityFormatString, tenantId));
    }

    public bool Authenticate(string user, string pass)
    {
        try
        {
            _authContext.AcquireToken(GraphResource, _clientId, new UserCredential(user, pass));

            return true;
        }
        catch (AdalServiceException ase)
        {
            return ase.ServiceErrorCodes.All(sec => sec == AppPasswordRequiredErrorCode);
        }
        catch (Exception)
        {
            return false; // Probably needs proper handling
        }
    }
}

它不漂亮,但它可以完成工作.

It's not pretty, but it does the job.

通过使用ServiceErrorCodes.All(),我保证只有当一个AppPasswordRequired错误发生时,认证成功.

By using ServiceErrorCodes.All(), I ensure that only when a single AppPasswordRequired error occurs, authentication has succeeded.

此方法的唯一缺点是启用 MFA 的用户必须使用其实际帐户密码才能登录.似乎不支持使用应用密码.

The only disadvantage to this method, is that a user with MFA enabled has to use their actual account password to login. Using an app password does not seem to be supported.

这篇关于Azure AD AcquireToken 不适用于应用密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!

本站部分内容来源互联网,如果有图片或者内容侵犯了您的权益,请联系我们,我们会在确认后第一时间进行删除!

相关文档推荐

How to MOQ an Indexed property(如何最小起订量索引属性)
Mocking generic methods in Moq without specifying T(在 Moq 中模拟泛型方法而不指定 T)
How Moles Isolation framework is implemented?(Moles Isolation 框架是如何实现的?)
Difference between Dependency Injection and Mocking Framework (Ninject vs RhinoMocks or Moq)(依赖注入和模拟框架之间的区别(Ninject vs RhinoMocks 或 Moq))
How to mock Controller.User using moq(如何使用 moq 模拟 Controller.User)
How do I mock a class without an interface?(如何模拟没有接口的类?)