Does Azure AD provide an API method to validate a

2019-08-16 23:33发布

问题:

I want to validate Azure AD users through both a web app and a native mobile app, though Azure AD isn't the only IdP that I'm using.

I've read the OAuth2 article but I'm having trouble tracking down an API method to validate against a user. One answer notes you can pass username and password parameters when you fetch the token, but it doesn't seem to validate against that.

There's an example of DotNet solution but I'm not familiar with .NET - tried running it and ran into a System.TypeLoad Exception (Could not load type of field 'Microsoft.Owin.Security.ActiveDirectory.WsFedMetadataRetriever:CS$<>9__CachedAnonymousMethodDelegate5')

I've previously tried to setup a SimpleSAML solution but the downside is that for native apps it requires extra work and may not be suitable.

回答1:

I recommend you redirect the users to the Azure AD login page.

You technically can try to validate the user by using the Resource Owner Password Credentials grant. But it will not work always.

This involves you making a POST request to the OAuth token endpoint with form data similar to this:

grant_type=password&username=user@example.com&password=Password&client_id=your-client-id&client_secret=your-client-secret&resource=resource-you-want-the-token-for

The resource could be https://graph.windows.net since you have access to that by default. If the result is successful, then yes, the user exists and the credentials are valid.

But if it fails, it can happen because:

  • The user does not exist
  • The password is wrong
  • The user has multi-factor authentication turned on
  • The user is a federated user (from on-prem AD), and authentication must be done via ADFS

So it just simply cannot work in some cases.