具有客户端断言证书(Azure AD)的Dynamics CRM守护程序应用程序提供401 [英] Dynamics CRM daemon app with Client Assertion Certificate (Azure AD) gives 401

问题描述

我正在开发一个应用程序，该应用程序需要与后台作业中的某些Dynamics CRM API保持联系(每隔几分钟就可以上传更新的内容).

I am working on an app where I need to keep talking to some of the Dynamics CRM APIs in background jobs (every several minutes to upload updated content).

由于具有用户凭据(应用程序权限)的ADAL身份验证可完美地与CRM API结合使用，因此我印象深刻的是，我还将使其与客户端声明证书凭据一起使用.

Since ADAL authentication with user credentials (app permissions) use flawlessly with CRM APIs, I was under impression that I will get it working with Client Assertion Certificate Credentials as well.

代码看起来像这样-

var certCred = new ClientAssertionCertificate(clientId, cert);
var result = await authContext.AcquireTokenAsync("https://<tenant_name>.crm4.dynamics.com/", certCred);

这有效，我能够获得访问令牌.但是，由于这些是委托权限，因此我无法执行获得访问CRM WebAPI的授权.

This works and I am able to get the access token. However since these are delegate permissions, I am not able to perform get authorized to access CRM WebAPIs.

我显然可以使用service/daemon帐户执行后台任务，但是我想以客户端断言证书的方式做更多的事情.有没有人找到这样的方案的解决方案? CRM WebAPI是否支持委托权限?

I can obviously use service / daemon account to perform background tasks but I wanted to do it more in client assertion certificate way. Has anyone found the solution to scenarios like this? Does CRM WebAPI support delegate permissions?

还有其他方法可以做到吗?

Is there any other way to do it?

推荐答案

我想先澄清一些概念.客户端凭据流用于获取应用程序权限，而不是应用程序的委派权限.通常，OAuth 2.0代码授予流程用于获取委托权限.

I want to clarify some concepts first. The client credential flow is used for acquiring the application permission instead of delegated permissions for the app. Normally, the OAuth 2.0 code grant flow is used to acquire the delegate permission.

从描述中看来，您似乎想通过客户端凭证流获得应用程序许可，但是该令牌对于调用Dynamics CRM Web API无效.经过研究，我发现这个问题已经提出过好几次了，但是没有答案.

From the description, it seems that you want to acquire the application permission through the client credential flow, however the token is invalidate to call the Dynamics CRM Web API. After the researching, I found this issue was raised several times however there is no answer.

根据我的理解，Dynamics CRM Web API似乎不支持应用程序令牌(使用客户端凭据流获取)，因为当您在Azure上为此API注册应用程序时，我们无法检查任何权限/应用程序级别的范围如下图所示:

Based on my understanding, the Dynamics CRM Web API seem doesn’t support the app-token(acquiring using client credential flow) because when you register the apps for this API on Azure, we are not able to check any permission/scope for the application level like figure below:

这篇关于具有客户端断言证书(Azure AD)的Dynamics CRM守护程序应用程序提供401的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！