Authenticate User In Azure AD (validate username & password) via Azure Functions

后端 未结 1 411
一向
一向 2021-01-24 16:36

Is it possible to create an Azure Function which will take username and password as input parameters and function should validate user against Azure AD.

相关标签:
1条回答
  • 2021-01-24 17:08

    Firstly, it's important to mention that collecting username and password for an Azure AD user as part of your application (Azure function or web app any other application you're developing) is very much against the best practices and opens up multiple attack risks. So even though you may be able to use workarounds to achieve it, please do reconsider the requirement that you have from a security standpoint.

    Workaround - ROPC - Resource Owner Password Credentials Grant (Not recommended, multiple issues)

    Azure AD does not provide a direct API to validate user credentials. As a workaround (and a bad one at that), you can use Resource Owner Password Credentials (ROPC) flow which works with username and password to acquire a token.

    It violates security best practices and also does not work with MFA and federated authentication users. Using this grant is highly discouraged as it brings potential attack risks, so not recommended.

    If either username or password is incorrect, you will get an exception, otherwise you get back a valid token which means credentials are good.

    Here are a couple of links that cover details on ROPC (and recommend not using it at the same time..):

    • ADAL.NET library documentation on acquiring tokens with username and password
    • Resource Owner Password Credentials Grant in Azure AD OAuth

    For example, code would look like this for a native application.

    result = await context.AcquireTokenAsync(resource, clientId, new UserPasswordCredential("john@contoso.com", johnsPassword));
    

    Other references

    • Here is an old article but still very detailed. And look at the long list of limitations at the end.
    0 讨论(0)
提交回复
热议问题