MSA(Microsoft个人)帐户和AAD帐户在Azure Ad v2.0终结点上的代表 [英] On-behalf-of on Azure Ad v2.0 endpoint for both MSA (Microsoft personal) and AAD accounts
问题描述
我们有一个面向用户的Web应用程序和一个中间层ASP.NET Core Web API,当前在Azure Ad v1.0终结点上使用OAuth 2.0代理流(OBO),仅对AAD帐户进行身份验证.我们还需要对MSA(个人)帐户进行身份验证,因此将我们的解决方案迁移到Azure AD v2.0终结点.
We have a user-facing web app and a middle-tier ASP.NET Core Web api, currently using OAuth 2.0 On-Behalf-Of flow (OBO) on the Azure Ad v1.0 endpoint, authenticating only AAD accounts. We need to authenticate also MSA (personal) accounts, therefore migrate our solution to the Azure AD v2.0 endpoint.
The official sample only authenticates AAD accounts and says:
" 当前限制: 代表流量当前不适用于Microsoft Personal帐户."
"Current limitations: The on-behalf-of flow does not currently work for Microsoft Personal accounts."
有人可以确认吗? 在这种情况下,为Microsoft个人帐户以及工作或学校帐户获得服务到服务令牌的替代方法是什么?
Can somebody confirm this ? What is the alternative for getting a service to service token for both Microsoft Personal accounts and work or school accounts if this is the case?
推荐答案
如文档所述,常见的OBO模式不能用于登录个人,工作或学校帐户的客户.一般准则建议,如果可能,建议将中间层应用程序和前端UI合并到一个AAD v2.0应用程序中.当然,只有在将一个前端映射到中间层的情况下,才能执行此操作,并且不适用于多个前端共享同一中间层的情况.
As the documentation says, a common OBO pattern cannot be used for clients that sign in both personal and work or school accounts. The general guidelines recommend, if possible, to merge the middle tier application and the front-end UI into one AAD v2.0 application. Ofcourse, this can only be done if you have a single front-end mapped to the middle tier and won't be applicable in cases of multiple front-ends sharing the same middle tier.
This link provides information regarding the reasons for these limitations and the workaround that I described above. Unfortunately, merging the two applications is the only way.
这篇关于MSA(Microsoft个人)帐户和AAD帐户在Azure Ad v2.0终结点上的代表的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
