问题
I've got an existing MVC5 application that uses Forms authentication. Half of my users are internal employees that also exist in Azure AD. I'd like to give them the option to authenticate against AD but I don't want the other half to have to go through AD. All of the examples I've seen of using Azure AD authentication seems like an all or nothing thing.
Can't I just add a button to my login form for the AD users to go to the Azure login and get redirected back with a token? My other option is if they are an Azure user, take their email/password from my login form and try to connect to AD with it. This seems like a risk as I'll have exposure to their actual network credentials.
回答1:
I haven't completed it yet but I've gotten far enough in that this feels like the solution to me. I'm going to add a link to my login page for Azure AD users that points to the AD OpenID url as defined here:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-protocols-openid-connect-code/
The id_token that I get back identifies the user after it's unpacked as detailed here:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-v2-tokens/#validating-tokens
来源:https://stackoverflow.com/questions/38999304/mixing-azure-ad-authentication-with-forms-authentication