問題描述

是否可以創(chuàng)建一個(gè) Azure 函數(shù)，它將用戶名和密碼作為輸入?yún)?shù)，并且函數(shù)應(yīng)該針對(duì) Azure AD 驗(yàn)證用戶.

Is it possible to create an Azure Function which will take username and password as input parameters and function should validate user against Azure AD.

推薦答案

首先，重要的是要提到收集 Azure AD 用戶的用戶名和密碼作為應(yīng)用程序(Azure 函數(shù)或 Web 應(yīng)用程序)的一部分，你是開發(fā))非常違反最佳實(shí)踐，并帶來(lái)多種攻擊風(fēng)險(xiǎn).因此，即使您可以使用變通方法來(lái)實(shí)現(xiàn)它，請(qǐng)務(wù)必從安全角度重新考慮您的要求.

Firstly, it's important to mention that collecting username and password for an Azure AD user as part of your application (Azure function or web app any other application you're developing) is very much against the best practices and opens up multiple attack risks. So even though you may be able to use workarounds to achieve it, please do reconsider the requirement that you have from a security standpoint.

解決方法 - ROPC - 資源所有者密碼憑據(jù)授予(不推薦，多個(gè)問題)

Azure AD 不提供直接 API 來(lái)驗(yàn)證用戶憑據(jù).作為一種解決方法(也是一個(gè)不好的解決方法)，您可以使用 Resource Owner Password Credentials (ROPC) flow，它與用戶名和密碼一起使用來(lái)獲取令牌.

Azure AD does not provide a direct API to validate user credentials. As a workaround (and a bad one at that), you can use Resource Owner Password Credentials (ROPC) flow which works with username and password to acquire a token.

它違反了安全最佳實(shí)踐，也不適用于 MFA 和聯(lián)合身份驗(yàn)證用戶.強(qiáng)烈建議不要使用此授權(quán)，因?yàn)樗鼤?huì)帶來(lái)潛在的攻擊風(fēng)險(xiǎn)，因此不推薦.

It violates security best practices and also does not work with MFA and federated authentication users. Using this grant is highly discouraged as it brings potential attack risks, so not recommended.

如果用戶名或密碼不正確，你會(huì)得到一個(gè)異常，否則你會(huì)得到一個(gè)有效的令牌，這意味著憑據(jù)是好的.

If either username or password is incorrect, you will get an exception, otherwise you get back a valid token which means credentials are good.

這里有幾個(gè)鏈接，其中包含有關(guān) ROPC 的詳細(xì)信息(建議不要同時(shí)使用它..):

Here are a couple of links that cover details on ROPC (and recommend not using it at the same time..):

• ADAL.NET 庫(kù)文檔關(guān)于使用用戶名和密碼獲取令牌
• Azure AD OAuth 中的資源所有者密碼憑據(jù)授予

例如，本機(jī)應(yīng)用程序的代碼如下所示.

For example, code would look like this for a native application.

result = await context.AcquireTokenAsync(resource, clientId, new UserPasswordCredential("john@contoso.com", johnsPassword));

其他參考資料

• 這里 是一篇舊文章，但仍然非常詳細(xì).看看最后的一長(zhǎng)串限制.

• Here is an old article but still very detailed. And look at the long list of limitations at the end.

這篇關(guān)于通過 Azure Functions 在 Azure AD 中驗(yàn)證用戶(驗(yàn)證用戶名和密碼)的文章就介紹到這了，希望我們推薦的答案對(duì)大家有所幫助，也希望大家多多支持html5模板網(wǎng)！