All geek questions in one place

Authentication with Azure Active Directory - How to programmatically use user credentials

Is there a way to log in through a web application or web api to Azure Active Directory (with AD credentials) using my own username and password page, which is hosted outside of Azure?

From my research, it seems that there is no programmatic way to send a username and password for user authentication using Azure AD (if you hosted the application outside of Azure) Not sure if they think this is a security hole (I don’t think that https is forced ?)

It seems that you can only authenticate users through a grant of code (which means that we exit our application to enter an external site).

Ultimately, I want to create a python api flash drive that can be authenticated immediately before Azure AD, if possible. I did this in the past (with other auth systems) with Oauth grant_type = password to send username and transfer, but I don’t think it is supported in Azure AD (correct me if I am wrong?) I know that grant_type = client_credentials is supported , but it looks like his auth service, which is not exactly what they are after http://msdn.microsoft.com/en-us/library/azure/dn645543.aspx

If it’s not possible to have a login page located outside of Azure, is it possible to have it inside Azure, it seems from the examples given here: http://msdn.microsoft.com/en-us/library/azure/bc8af4ff- 66e7-4d5b-b3d4-c33d2c55d270 # BKMK_Browser There is no special login page with a password field .. (only open input logic elements)

+5
source share
1 answer

Grant credentials for resource owner ( grant_type=password ) stream supported by Azure Active Directory. However, before using it, consider whether it is really required. As the OAuth 2.0 RFC says:

The resource owner’s password credentials (i.e., username and password) can be used directly as an authorization permission to obtain an access token. Credentials should only be used if there is a high degree of trust between the owner of the resource and the client (for example, the client is part of the device’s operating system or high-priority application), and when other types of granting permissions are not available (for example, an authorization code) .

If you determine that other supported threads will certainly not work for your scenario, then be sure to follow the second tip in the RFC:

Despite the fact that this type of grant requires direct client access to the credentials of the resource owner, the credentials of the resource owner are used for one request and are exchanged for an access token. This type of grant can eliminate the need for the client to save the credentials of the resource owner for future use by exchanging credentials with a long-lived access token or updating the token .

(Emphasis added in both cases.)

Here's an example of .NET and ADAL on GitHub that uses this thread, and it should be simple enough to be implemented in Python: https://github.com/AzureADSamples/NativeClient-Headless-DotNet

Edit: You can host your application anywhere, but you don’t need to be on Azure. This applies to all threads.

+12
source

Source: https://habr.com/ru/post/1206388/

More articles:


All Articles