建议OAuth流程(授予类型)或满足以下要求的方法 [英] Suggest OAuth flow(grant type) or approach for below requirement
问题描述
CompanyA正在与CompanyB集成,在那里CompanyA的用户将购买CompanyB的设备.
CompanyA is integrating with CompanyB where CompanyA's users will be buying devices of CompanyB.
CompanyA希望通过调用
CompanyA wants to show user's device(CompanyB) details on their app by calling
每次用户登录时CompanyB的API.
CompanyB's API on each user login.
CompanyA用户在CompanyA IAM上进行了身份验证.
CompanyA user is authenticated on CompanyA IAM.
用户第一次尝试添加设备时,CompanyA必须调用注册设备.
CompanyA has to call register device when user tries to add an device first time.
帮助我确定仅可用于查询特定登录用户设备的流程.
Help me to identify the flow which i can use to query particular loggedin user's device only.
我需要在CompanyB的IAM上创建重复的用户帐户吗?
Do i need to create duplicate user account on CompanyB's IAM?
如果我使用客户端凭据流进行API到API的调用,则CompanyB给出的访问令牌仅提供对API调用的访问权限,但它不代表仅调用正确的用户调用.
If i use client credential flow for API to API call, access token given by CompanyB is only provides access for API calls but it does not tell that on behalf of correct user only call is invoked.
假设CompanyA使用IdentityServer或任何其他提供程序作为IAM,而CompanyB使用Azure AD B2C.
Assume that CompanyA uses IdentityServer or any other provider as IAM and CompanyB uses Azure AD B2C.
还有其他方法吗?
请参见下图,
推荐答案
您应该能够通过在其Azure AD中将Company B API设置为多租户来做到这一点. 当然,还有其他选择,这只是我想到的第一个.
You should be able to do this by making the Company B API multi-tenant in their Azure AD. There are other options surely, this is just the first one that came to my mind.
您必须先征得管理员的同意才能在您的Azure AD租户中获取API的服务主体. Company B API可以为您提供执行此操作的终结点,并使用适当的参数将您重定向到授权终结点. 如何发送登录请求
You would have to do admin consent on it to get the API's service principal in your Azure AD tenant. The Company B API can give you an endpoint for doing this, redirecting you with the proper parameters to the authorization endpoint. How to send a sign-in request
这样做之后,您应该应该可以从租户中的Company A API(在Azure AD中配置)获得对API的权限.
After doing this, you should be able to then require permissions on the API from Company A API in your tenant (configured in Azure AD). Configure a client application to access web APIs
完成这些操作后,您的API应该能够使用代理授权"流程来获取针对Company B API的访问令牌. 在ASP.NET中使用Azure AD代表流核心2.0 API
After doing those things, your API should be able to use On-Behalf-Of grant flow to get an access token for Company B API. Using Azure AD On-Behalf-Of flow in an ASP.NET Core 2.0 API
公司B API必须配置为接受来自其Azure AD之外的其他发行者的访问令牌.
在一般的多租户方案中,发行人验证通常是关闭的.
如果公司B希望对此拥有控制权,则他们目前必须明确列出有效的发行人.
颁发者值如下所示:https://sts.windows.net/31537af4-6d77-4bb9-a681-d2394888ea26/,GUID是您的Azure AD租户ID.
Company B API must be configured to accept access tokens from another issuer than their Azure AD of course.
In general multi-tenant scenarios, the issuer validation is commonly turned off.
If Company B wishes to have control over this, currently they will have to explicitly list the valid issuers.
Issuer values look like this: https://sts.windows.net/31537af4-6d77-4bb9-a681-d2394888ea26/, the GUID is your Azure AD tenant id.
Company B API可以从访问令牌中提取租户ID和用户对象ID,并根据它们授权用户使用资源.
The Company B API can extract the tenant id and user object id from the access token, and authorize the user to resources based on them.
这篇关于建议OAuth流程(授予类型)或满足以下要求的方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
