Tools, FAQ, Tutorials:
Initiate Azure AD v2 Authentication Request
How to initiate Azure AD v2.0 Sign-On Authentication Request?
✍: FYIcenter.com
The Azure AD v2.0 Sign-On Authentication Request must be initiated from the end user's Web browser, because the Azure AD service needs to communicate with the Web browser to make sure that the end user is signed on to an AD (Active Directory) and has a valid browser session.
There are a number of options to initiate Azure AD v2.0 Sign-On Authentication Request:
1. Using HTML "form" POST method to let the end user submit the request. All request parameters are coded as hidden form variables. For example:
<p>Please click the button flow to sign-on:</p> <form method="POST" action="https://login.microsoftonline.com/common/oauth2/v2.0/authorize"> <input type="hidden" name="client_id" value="bd51d56c-e744-4a58-91e1-************"> ... <input type="Submit" name="Submit" value="Sign-On"> </form>
The main risk of this option is that your end user can view HTML source to see your "client_id" value and other request parameters.
2. Using HTML "form" GET method to let the end user submit the request. All request parameters are coded as hidden form variables. For example:
<p>Please click the button flow to sign-on:</p> <form method="GET" action="https://login.microsoftonline.com/common/oauth2/v2.0/authorize"> <input type="hidden" name="client_id" value="bd51d56c-e744-4a58-91e1-************"> ... <input type="Submit" name="Submit" value="Sign-On"> </form>
This option is not as good as the first option, because all parameters show up in the browser's Web address area for a short period of time before Azure AD service redirects the browser to the sign-on page or your application page.
Note that all parameters may stay in the browser's Web address area for a long time if there is any issue with your authentication request.
3. Use a server side script to return a HTTP 302 redirect response. All request parameters are coded as the query string of the redirect URL. For example:
In the HTML document: <p>Click hereto sign-on</p> In the service side script, Azure-AD-Redirect.php: $url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize". "?client_id=bd51d56c-e744-4a58-91e1-************". "&..."; header("Location: $url");
When the Web receives the HTTP 302 redirect response, it will automatically call the URL given in the "Location" response header.
This option is does not leave your client_id value in the HTML source code. But all parameters show up in the browser's Web address area for a short period of time before Azure AD redirects the browser the sign-on page or your application page.
Note that all parameters may stay in the browser's Web address area for a long time if there is any issue with your authentication request.
Compare to other options, option 3 might be the best option.
⇒ Process Azure AD v2 Authentication Request
2019-05-03, 1179🔥, 0💬
Popular Posts:
How to read RSS validation errors at w3.org? If your RSS feed has errors, the RSS validator at w3.or...
How to run CMD Commands in Dockerfile to change Windows Docker images? When building a new Windows i...
How to send an FTP request with the urllib.request.urlopen() function? If an FTP server supports ano...
Can Multiple Paragraphs Be Included in a List Item? Yes. You can include multiple paragraphs in a si...
What is Azure API Management Developer Portal Admin? The Developer Portal Admin is an Azure Web port...