Authenticate User In Azure AD (validate username &

2020-04-27 04:31发布

Is it possible to create an Azure Function which will take username and password as input parameters and function should validate user against Azure AD.

1条回答
放荡不羁爱自由
2楼-- · 2020-04-27 04:46

Firstly, it's important to mention that collecting username and password for an Azure AD user as part of your application (Azure function or web app any other application you're developing) is very much against the best practices and opens up multiple attack risks. So even though you may be able to use workarounds to achieve it, please do reconsider the requirement that you have from a security standpoint.

Workaround - ROPC - Resource Owner Password Credentials Grant (Not recommended, multiple issues)

Azure AD does not provide a direct API to validate user credentials. As a workaround (and a bad one at that), you can use Resource Owner Password Credentials (ROPC) flow which works with username and password to acquire a token.

It violates security best practices and also does not work with MFA and federated authentication users. Using this grant is highly discouraged as it brings potential attack risks, so not recommended.

If either username or password is incorrect, you will get an exception, otherwise you get back a valid token which means credentials are good.

Here are a couple of links that cover details on ROPC (and recommend not using it at the same time..):

For example, code would look like this for a native application.

result = await context.AcquireTokenAsync(resource, clientId, new UserPasswordCredential("john@contoso.com", johnsPassword));

Other references

  • Here is an old article but still very detailed. And look at the long list of limitations at the end.
查看更多
登录 后发表回答