在没有浏览器的情况下获取令牌(AWS Lex和Lambda) [英] Acquiring token without browser (AWS Lex and Lambda)
问题描述
我正在AWS(Lex和AWS Lambda函数)中开发一个聊天机器人,并且在向Microsoft Graph发出请求之前尝试使用Azure访问令牌来验证用户。
自从交互是(目前,在AWS上测试期间)不在浏览器窗口中,弹出窗口和重定向都不能用于登录。
如何解决此问题以允许用户登录?有没有其他人像这样使用Azure和AWS Lambda?
I am developing a chatbot in AWS (Lex, and AWS Lambda functions) and am trying to use Azure access tokens to authenticate the users before making requests to Microsoft Graph.
Since the interaction is (for now, during testing on AWS) not in a browser window, neither popups nor redirects work for signing in.
How do I get around this to allow the users to sign in? Has anyone else used Azure with AWS Lambda like this?
谢谢 提前获取所有帮助!
Thanks in advance for all help!
推荐答案
Hello
Hello
我知道您的用户位于Azure广告租户中,因此您希望将Azure AD系统用作身份提供商。如果我在此回复中的任何地方出现错误,请更正。 为了使用客户端凭据流
,您需要在azure AD租户目录中注册Web API并创建客户端ID和密码在AWS lambda端使用。
I understand that you have your users within a azure AD tenant and hence you would like to use the Azure AD system as an Identity provider. Please correct in case my assumption is wrong anywhere in this reply . In order to use client credential flow , you would need to register a web API within your azure AD tenant directory and create a client ID and secret to be used on the AWS lambda side.
您可以按照文章 https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow to
然后为服务电话提供服务, 在这种情况下,您将获得一个令牌,该令牌只是一个访问令牌而不是访问令牌&刷新令牌对。访问令牌有效一小时,一小时后您可能需要请求另一个令牌。所以
方式是保存在你身边获得的JSON令牌,并设置一个逻辑,即每隔55分钟或当前令牌即将到期时请求新令牌。之前我曾编写过一个powershell脚本,我使用这个逻辑从
azure获取审计日志,因此建议相同。以下是关于如何为服务电话提供服务的两篇文章。
You can use client credential OAuth flow as described in the article https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow to make service to service calls however , in this case you would get a token which is only a an access token not a access token & refresh token pair . Access token is valid for an hour and after an hour you may need to request another token. So the way is to save the JSON token obtained on your side and put a logic that a new token is requested every 55 mins or just around when the current token is going to expire. I had written a powershell script earlier where i used this logic to get audit logs from azure hence suggesting the same. The following are two articles on how to make service to service calls.
https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
这可能不是最佳建议,因为可能有其他方法可以使用但需要更多测试。我相信在AWS中,您可以使用Azure AD REST API调用Web请求,或创建一个Httpclient等效项,为您避免对用户进行身份验证,这将为您执行
。如果有更多详细信息,请随时更新主题。
This may not be the best recommendation as there could be other approaches which can be used but would require more testing. I believe within AWS you would invoke a web request using the Azure AD REST API or create a Httpclient equivalent which would do this for you in order to avoid authentication for users. If there are more details , feel free to update the thread.
谢谢。
这篇关于在没有浏览器的情况下获取令牌(AWS Lex和Lambda)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
