問題描述
是否可以創建一個 Azure 函數,它將用戶名和密碼作為輸入參數,并且函數應該針對 Azure AD 驗證用戶.
Is it possible to create an Azure Function which will take username and password as input parameters and function should validate user against Azure AD.
推薦答案
首先,重要的是要提到收集 Azure AD 用戶的用戶名和密碼作為應用程序(Azure 函數或 Web 應用程序)的一部分,你是開發)非常違反最佳實踐,并帶來多種攻擊風險.因此,即使您可以使用變通方法來實現它,請務必從安全角度重新考慮您的要求.
Firstly, it's important to mention that collecting username and password for an Azure AD user as part of your application (Azure function or web app any other application you're developing) is very much against the best practices and opens up multiple attack risks. So even though you may be able to use workarounds to achieve it, please do reconsider the requirement that you have from a security standpoint.
解決方法 - ROPC - 資源所有者密碼憑據授予(不推薦,多個問題)
Azure AD 不提供直接 API 來驗證用戶憑據.作為一種解決方法(也是一個不好的解決方法),您可以使用 Resource Owner Password Credentials (ROPC) flow,它與用戶名和密碼一起使用來獲取令牌.
Azure AD does not provide a direct API to validate user credentials. As a workaround (and a bad one at that), you can use Resource Owner Password Credentials (ROPC) flow which works with username and password to acquire a token.
它違反了安全最佳實踐,也不適用于 MFA 和聯合身份驗證用戶.強烈建議不要使用此授權,因為它會帶來潛在的攻擊風險,因此不推薦.
It violates security best practices and also does not work with MFA and federated authentication users. Using this grant is highly discouraged as it brings potential attack risks, so not recommended.
如果用戶名或密碼不正確,你會得到一個異常,否則你會得到一個有效的令牌,這意味著憑據是好的.
If either username or password is incorrect, you will get an exception, otherwise you get back a valid token which means credentials are good.
這里有幾個鏈接,其中包含有關 ROPC 的詳細信息(建議不要同時使用它..):
Here are a couple of links that cover details on ROPC (and recommend not using it at the same time..):
- ADAL.NET 庫文檔關于使用用戶名和密碼獲取令牌
- Azure AD OAuth 中的資源所有者密碼憑據授予
例如,本機應用程序的代碼如下所示.
For example, code would look like this for a native application.
result = await context.AcquireTokenAsync(resource, clientId, new UserPasswordCredential("john@contoso.com", johnsPassword));
其他參考資料
- 這里 是一篇舊文章,但仍然非常詳細.看看最后的一長串限制.
- Here is an old article but still very detailed. And look at the long list of limitations at the end.
這篇關于通過 Azure Functions 在 Azure AD 中驗證用戶(驗證用戶名和密碼)的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!