通过Azure AD ADAL的ASP.NET MVC用户身份验证

Question

I have an ASP.NET MVC application with Identity 2 authentication that is deployed as an Azure App. What I am trying to do is use Azure Active Directory Authentication within this App so that users created in the Active Directory (this AD was created within the same subscription of Azure that the App resides on) can authenticate in the App.

With standard Active Directory I would use LDAP(S) protocol for authentication with Domain Controller but in Azure AD I was told to use ADAL library since LDAP protocol is not supported(?).

I have reviewed a number of implementations of ADAL but I am not sure of the exact flow of actions that need to be performed.
From the official Github repo I reviewed the AdalDesktopTestApp project and summed up the authentication mechanism as following:

private const string ClientId = "1950a258-227b-4e31-a9cf-717495945fc2";
private const string User = ""; // can also be empty string for testing IWA and U/P
private const string Resource = "https://graph.windows.net";



static void main(string[] args) {
     var context = new AuthenticationContext("https://login.windows.net/common", true, new FileCache());
     RunAppAsync(context).Wait();
}

private static async Task RunAppAsync(AuthenticationContext context) {
    Task<AuthenticationResult> authTask = null;
    authTask = context.AcquireTokenAsync(Resource, ClientId, new UserPasswordCredential(User, Console.ReadLine()));
    await FetchTokenAsync(authTask).ConfigureAwait(false);
}

private static async Task FetchTokenAsync(Task<AuthenticationResult> authTask)
{
    await authTask.ConfigureAwait(false);

    Console.BackgroundColor = ConsoleColor.DarkGreen;
    Console.WriteLine("Token is {0}", authTask.Result.AccessToken);
    Console.ResetColor();
}

What does ClientId become in case of running this code from an Azure App?

Do the Resource variable and AuthenticationContext 's first parameter " https://login.windows.net/common " remain the same in my case? How do I specify the name of the Active Directory Domain I have created within the Azure? Is this the correct flow of actions when authenticating using user accounts that were manually created within the Azure AD?

Answer 1

Yeah LDAP is not supported. You need to use OAuth / OpenID Connect, which are made easier with ADAL or MSAL (this is newer and works with the v2 endpoint).

Client id is the id of your registered application in Azure AD. It is also referred to as application id sometimes. The Resource identifies what you want to call. The resource in the sample is the identifier for Azure AD Graph API. You'd use eg https://graph.microsoft.com for the newer Microsoft Graph API. The access token you acquire is only valid for that API. Note that MSAL / v2 does not use a resource, instead it uses scopes.

The URL with "common" is your authority. This says what accounts you want to allow to login to your app. Common allows users from any Azure AD tenant to login to your app. (your app needs to be multi-tenant then as well) If you want to support only a specific Azure AD tenant, specify it as https://login.microsoftonline.com/your-aad-tenant-id . To keep it multi-tenant, set it as https://login.microsoftonline.com/common .

You are using the less secure resource owner password credentials grant flow in the app. You should use overloads that pop up a Web browser that allows the user to login properly. In your app, users with MFA will be unable to login, for example.