简体繁体 English

通过Python Web API的Azure AD身份验证

[英]Azure AD Authentication through Python Web API

原文 2018-04-06 06:52:51 9 2 python/ azure/ active-directory/ azure-active-directory/ azure-authentication

I am building a Python web API where I want to use Azure AD as authentication backend. 我正在构建一个Python Web API，我想在其中使用Azure AD作为身份验证后端。 On certain scenarios the clients needs to authenticate through the API to authorize to certain endpoints. 在某些情况下，客户端需要通过API进行身份验证以授权给某些端点。 The client itself is not able to authenticate to AD directly, so it needs to do it through the API using raw credentials (username, password). 客户端本身无法直接向AD进行身份验证，因此它需要使用原始凭据（用户名，密码）通过API进行身份验证。 The API will then authenticate the user and receive the AD token and give it to the user. 然后，API将对用户进行身份验证并接收AD令牌并将其提供给用户。

So in short I am looking for a way to programmatically authenticate a user using username/password and receive the token using Python. 简而言之，我正在寻找一种使用用户名/密码以编程方式对用户进行身份验证并使用Python接收令牌的方法。

2 个解决方案

What you are describing is the OAuth 2 Resource Owner Password Credentials Grant flow. 您要描述的是OAuth 2 资源所有者密码凭据授予流程。

Note: using this one is in general a really bad idea and some other flow should be considered instead. 注意：通常，使用此方法不是一个好主意，而应考虑使用其他方法。

What you are doing here, is sending POST request containing user credentials in clear text directly to the authentication endpoint. 您在这里所做的就是将包含明文用户凭证的POST请求直接发送到身份验证端点。 Thus bypassing all possible added security that might be put in place. 因此，绕过了所有可能放置的可能增加的安全性。

Also, it will not work when 另外，当

MFA is enabled for the user 为用户启用了MFA
User is federated or a MS account 联盟用户或MS帐户
This flow has no way to handle expired passwords 此流程无法处理过期的密码

Consider some other authorization flow if possible, you got eg 如果可能的话，考虑其他一些授权流程，例如

Authorization code flow 授权码流程
Implicit grant flow 隐式赠款流程
Client credentials flow 客户凭证流
Device authentication flow 设备认证流程

See this link to help you select which flow to use. 请参阅此链接，以帮助您选择要使用的流程。

You can find the different authentication flows relevant for an application type and topology in this Azure AD article . 您可以在此Azure AD文章中找到与应用程序类型和拓扑相关的不同身份验证流。 The article links to the protocol overview for the authentication flows if you choose to implement. 如果您选择实施，则本文链接到身份验证流程的协议概述。

There is also the ADAL Python auth library for Azure AD which you can use to do these flows. 还有一个Azure AD的ADAL Python身份验证库，您可以用来执行这些流程。

Based on your scenario, you have a few options. 根据您的方案，您有几种选择。 If your client app can authenticate directly with Azure AD, you can take a look at the client credentials flow sample . 如果您的客户端应用程序可以直接通过Azure AD进行身份验证，则可以查看客户端凭据流示例。 If your application needs a user to authenticate and can have the user authenticate interactively, you can check out this auth code flow sample . 如果您的应用程序需要用户进行身份验证，并且可以让用户进行交互式身份验证，则可以签出此auth代码流示例。 Finally, if you must use the user's credentials to authenticate programmatically(without user interaction) in the app, you can refer to the resource owner password flow, but this is not encouraged as mentioned in the other answer. 最后，如果您必须使用用户的凭据在应用程序中以编程方式进行身份验证（无用户交互），则可以引用资源所有者的密码流，但这未如其他答案所述被鼓励。