将 loginWithUsernamePassword 迁移到 @azure/identity
[英]Migrate loginWithUsernamePassword to @azure/identity
问题描述
I migrate some code from @azure/ms-node-auth to @azure/identity which authenticates against Azure Active Directory (AAD) via loginWithUsernamePassword .
我将一些代码从@azure/ms-node-auth迁移到@azure/identity ,它通过loginWithUsernamePassword对 Azure Active Directory (AAD) 进行身份验证。 The migration guide points to UsernamePasswordCredential class, but it denies my request. 迁移指南指向UsernamePasswordCredential class,但它拒绝了我的请求。
// Working @azure/ms-node-auth snippet
async function getTokenLegacy(): Promise<string> {
const credentials = await msRestNodeAuth.loginWithUsernamePassword(
USERNAME,
PASSWORD, {
domain: AAD_TENANT_ID,
clientId: CUSTOM_CLIENT_ID,
tokenAudience: CUSTOM_APP_ID,
},
);
return (await credentials.getToken()).accessToken;
}
// Non-working migrated @azure/identity version
async function getTokenMigrated(): Promise<string> {
const credentials = new UsernamePasswordCredential(
AAD_TENANT_ID,
CUSTOM_CLIENT_ID,
USERNAME,
PASSWORD);
return (await credentials.getToken(CUSTOM_APP_ID)).token;
}
The following error occurs.发生以下错误。
AADSTS50126: Error validating credentials due to invalid username or password.
The user has a federated account and @azure/ms-rest-nodeauth verifies the credentials via the SAML protocol.用户有一个federated帐户, @azure/ms-rest-nodeauth通过SAML协议验证凭据。
UserRealm: VERBOSE: UserRealm response:
UserRealm: VERBOSE: AccountType: federated
UserRealm: VERBOSE: FederationProtocol: wstrust
TokenRequest: VERBOSE: Acquiring token with username password for federated user
...
WSTrustResponse: INFO: Found token of type: urn:oasis:names:tc:SAML:1.0:assertion
TokenRequest: VERBOSE: Performing OAuth assertion grant type exchange.
1 个解决方案
解决方案1
0 2022-01-04 10:54:08
Please try resetting the password, otherwise you can use the below workaround
请尝试重置密码,否则您可以使用以下解决方法As you are using federated authentication you will get redirected to the federated identity for verification.
当您使用联合身份验证时,您将被重定向到联合身份进行验证。 When you are using ropcflow by passing the username and password the redirection does not happen and gives an error ofinvalid username or password.当您通过传递用户名和密码来使用ropc流时,不会发生重定向,并给出invalid username or password的错误。
In order to make this work you need to disable federated authentication and use manage authentication from AAD site so that no redirection is required.为了完成这项工作,您需要禁用联合身份验证并使用AAD 站点的管理身份验证,这样就不需要重定向。 So you will need to create a user from AAD site.因此,您需要从 AAD 站点创建用户。
For more information please refer this MS Q&A answer suggested by @amanpreetsingh-msft & @MarileeTurscak-MSFT.有关更多信息,请参阅@amanpreetsingh-msft 和 @MarileeTurscak-MSFT 建议的MS Q&A答案。
Still, if you want to use federated authentication you can refer this blog .不过,如果您想使用联合身份验证,您可以参考此博客。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.