从不同应用访问OAuth 2身份验证API的权限问题 [英] Permission issue on accessing OAuth 2 authenticated API from different apps

问题描述

你好！

我是Azure API Manager的新手，并试图在Azure中设置多个源应用程序，以便它们都可以使用通过OAuth2保护的API来访问在Azure API Manager上创建的API

 I am new to Azure API Manager, and was trying to set up multiple source application in Azure so that they can all access APIs created on Azure API Manager with APIs protected via OAuth2

 我遵循了Azure文档

 I followed Azure documentation to 

1. 创建API实例并创建需要公开的API
2. 创建了另一个应用程序 Appi1 为将要调用API1的源( (客户端ID2/保密密钥2).还为此授予了APIM应用程序的许可.
3. 通过提供以下信息在APIM下创建了OAUth2服务器 APIMApp 客户端ID
4. 在特定的API上设置Validate JWT令牌，如下所示

1. Create API Instance and created API that needs to be exposed
2. Created one Application under Active Directory for APIM Instance - APIMApp (Client ID1/Secret Key1)
3. Created another Application Appi1 for a Source that will be calling the API1 ((Client ID2/Secret Key2). Also gave permission of APIM Application under this.
4. Created a OAUth2 server under APIM by providing APIMApp Client ID
5. Set the Validate JWT token on the specific API as below

< validate-jwt标头名称=授权"； failed-validation-httpcode ="401". failed-validation-errormessage ="
未经授权.访问令牌丢失或无效.">
< openid-config url ="https://login.microsoftonline.com/{tenant id}/.well-known/openid-configuration" />
</validate-jwt>

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-errormessage="
Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.microsoftonline.com/{tenant id}/.well-known/openid-configuration" />
</validate-jwt>

我面临的问题是，当我创建另一个源应用程序时 ( (客户端ID3/秘密密钥3)，此新的 App2 能够使用有效令牌调用API，即使我没有添加 APIMApp 对此权限.  

The issue I am facing is that when I created another source application ((Client ID3/Secret Key3), this new App2 is able to call the API with a valid token even though I did not add APIMApp permission to this.   How can I restrict applications from calling the API even if they have valid Client ID and Secret Key. 

谢谢！感谢解决此问题的任何响应.

Thanks! Appreciate any response in resolving this issue.

推荐答案

The Client credentials section contains the Client ID and Client secret, which are obtained during the creation and configuration process of your OAuth 2.0 server. If you have authorized an API through OAuth2, Client ID and Client secret are the only credentials for accessing the API. If the application has valid credentials, API must be accessible by the application.

这篇关于从不同应用访问OAuth 2身份验证API的权限问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！