如何以静默方式获取对用户订阅Azure Batch的访问令牌? [英] How to silently get access token to user subscription Azure Batch?
问题描述
我正在从事项目,我们有在用户订阅模式下在Azure Batch上运行计算的服务(因为我们使用的是自定义映像)。现在,我的代码可以正常运行,但是它需要每次启动以提供用户凭据才能登录到Azure Active Directory应用程序,然后才能创建批处理池等。因为它将作为后台服务运行,所以我需要使用某些提供的用户静默登录,而不会弹出窗口要求用户登录。
i am working on project, where we have service that run computation on Azure Batch in user subscription mode (because we are using custom image). I have now my code fully working, but it requires every launch to provide user credentials to log into Azure Active Directory app before it can create Batch pools and so on. Because it will run as background service, i need to log in silently with some provided user without popup asking user to log in.
我已经在Azure中注册了本机应用程序并进行了设置访问Azure Batch服务,创建Azure AD用户并从中获取所有ID和名称。
I have registered native app in Azure and set its access to Azure Batch service, created Azure AD user, and got all ids and names from it.
这是我现在使用的代码。
Here is my code i am using now.
private const string AuthorityUri = "https://login.microsoftonline.com/common";
private const string BatchResourceUri = "https://batch.core.windows.net";
private const string BatchAccountEndpoint = "https://<BATCH SERVICE NAME>.westeurope.batch.azure.com";
private const string ClientId = "<AZURE APP GUID ID>";
...
public static async Task<string> GetAuthenticationTokenAsync()
{
var authContext = new AuthenticationContext(AuthorityUri);
//here it will throw exception about no token found in cache and to call AquireToken
var authResult = await authContext.AcquireTokenSilentAsync(BatchResourceUri, ClientId, new UserIdentifier("<AD USER GUID ID>", UserIdentifierType.UniqueId));
//this works fine, but show popup dialog for login
/*var authResult = await authContext.AcquireTokenAsync(BatchResourceUri,
ClientId,
new Uri(RedirectUri),
new PlatformParameters(PromptBehavior.Auto));*/
return authResult.AccessToken;
}
...
Func<Task<string>> tokenProvider = () => GetAuthenticationTokenAsync();
using (BatchClient batchClient = await BatchClient.OpenAsync(new BatchTokenCredentials(BatchAccountEndpoint, tokenProvider)))
{
...
}
带有AquireToken并带有弹出式登录窗口的经典方法可以正常工作。我尝试使用AquireTokenSilent(如代码所示),但是我没有令牌缓存的错误,需要调用AquireToken。
Classic way with AquireToken with popup for login is working fine. I have tried to use AquireTokenSilent (as is shown in code), but i am getting error about no token cache and need to call AquireToken.
UserIdentifier中使用的ID是user
Id used in UserIdentifier is user id guid taken from Azure Active Directory user blade.
有人知道如何更新我的代码,以便我能够以指定用户身份静默登录Azure Batch,并且是
Does anybody know, how to update my code so i will be able to silently log into Azure Batch with specified user and is this even possible?
感谢帮助。
推荐答案
AcquireTokenSilent 不适用于此用例。它将尝试从 AcquireTokenAsync 先前存储的缓存中获取令牌。
AcquireTokenSilent is not meant for this use case. It will try to get the token from the cache where it was previously stored by AcquireTokenAsync.
和 AcquireTokenAsync 将弹出一个登录对话框,因此您也无法在批处理应用程序中使用该对话框。
And AcquireTokenAsync will pop up a login dialog, so you can't use that in your batch app either.
在第一个示例中,您需要使用
In the first sample, you need to create a ClientAssertionCertificate with
certCred = new ClientAssertionCertificate(clientId, cert);
然后用于 AcquireTokenAsync :
result = await authContext.AcquireTokenAsync(todoListResourceId, certCred);
另一个示例创建了 UserPasswordCredential ,其中
The other sample creates a UserPasswordCredential with
var uc = new UserPasswordCredential(user, password);
,然后将其与 AcquireTokenAsync 一起使用略有不同的方式:
and then also uses it with AcquireTokenAsync in a slightly different way:
authContext.AcquireTokenAsync(todoListResourceId, clientId, uc);
对于基于两种不同身份验证的令牌可以做什么有一些限制方法。例如,将访问令牌用于EWS模拟需要使用证书方法。
There are some limitations as to what you can do with the tokens that are based on the two different authentication methods. For example, using the access token for EWS Impersonation requires using the certificate method.
这篇关于如何以静默方式获取对用户订阅Azure Batch的访问令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
