使用Azure AD B2C身份验证为服务 [英] Authenticating as a Service with Azure AD B2C

问题描述

我们已经使用Azure AD B2C和OAuth设置了我们的应用程序，效果很好，但是我试图将其身份验证为服务，以便进行服务调用.我对此并不陌生，但是我已经学习了有关Pluralsight的一些课程，以了解如何在常规" Azure Active Directory上执行此操作，并且可以使其正常工作，但是在B2C上遵循相同的原理是行不通的.

We have setup our application using Azure AD B2C and OAuth, this works fine, however I am trying to authenticate as a service in order to make service to service calls. I am slightly new to this, but I have followed some courses on Pluralsight on how to do this on "normal" Azure Active Directory and I can get it to work, but following the same principles with B2C does not work.

我有这个快速控制台应用程序:

I have this quick console app:

class Program
{
    private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"]; //APIClient ApplicationId
    private static string appKey = ConfigurationManager.AppSettings["ida:appKey"]; //APIClient Secret
    private static string aadInstance = ConfigurationManager.AppSettings["ida:aadInstance"]; //https://login.microsoftonline.com/{0}
    private static string tenant = ConfigurationManager.AppSettings["ida:tenant"]; //B2C Tenant 
    private static string serviceResourceId = ConfigurationManager.AppSettings["ida:serviceResourceID"]; //APP Id URI For API
    private static string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);

    private static AuthenticationContext authContext = new AuthenticationContext(authority);
    private static ClientCredential clientCredential = new ClientCredential(clientId, appKey);

    static void Main(string[] args)
    {
        AuthenticationResult result = authContext.AcquireToken(serviceResourceId, clientCredential);
        Console.WriteLine("Authenticated succesfully.. making HTTPS call..");

        string serviceBaseAddress = "https://localhost:44300/";
        HttpClient httpClient = new HttpClient();
        httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
        HttpResponseMessage response = httpClient.GetAsync(serviceBaseAddress + "api/location?cityName=dc").Result;

        if (response.IsSuccessStatusCode)
        {
            string r = response.Content.ReadAsStringAsync().Result;
            Console.WriteLine(r);
        }
    }
}

服务的安全性如下:

    private void ConfigureAuth(IAppBuilder app)
    {
        var azureADBearerAuthOptions = new WindowsAzureActiveDirectoryBearerAuthenticationOptions
        {
            Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
            TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters()
            {
                ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
            }
        };

        app.UseWindowsAzureActiveDirectoryBearerAuthentication(azureADBearerAuthOptions);
    }

在我的B2C租户中，我有两个不同的应用程序，它们的设置大致如下:

In my B2C tenant I have two different applications that are pretty much setup as this:

这两个应用程序都已设置了来自密钥"选项的机密信息.与使用Azure Active Directory相比，生成的密钥的结构略有不同.

Both applications have been setup with secrets coming from the "keys" option. The keys generated are slightly differently structured than when using Azure Active Directory.

我可以成功获取令牌，但是尝试连接到其他服务时却获得401.与Azure Active Directory相比，使用B2C时，在授权方面我是否必须做些不同的事情?

I can successfully get a token, but I get 401 when trying to connect to the other service. Do I have to do something different on the authorization side when using B2C compared to Azure Active Directory?

推荐答案

如果满足以下条件，Azure Active Directory B2C可以发布访问令牌以供Web或本机应用访问API应用:

Azure Active Directory B2C can issue access tokens for access by a web or native app to an API app if:

1. 这两个应用程序均已在B2C中注册；和
2. 访问令牌是作为交互式用户流(即授权码或隐式流)的结果发出的.

当前，不支持您的特定方案-需要发行访问令牌以供守护程序或服务器应用程序访问API应用程序(即，客户端凭据流)，但是您可以注册这两个应用都是通过B2C租户的应用注册"刀片进行的.

Currently, your specific scenario -- where you are needing an access token to be issued for access by a daemon or server app to the API app (i.e. the client credentials flow) -- isn't supported, however you can register both of these apps through the "App Registrations" blade for the B2C tenant.

您可以在以下位置通过B2C投票支持对客户端凭据流的支持:

You can upvote support for the client credentials flow by B2C at:

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/18529918-aadb2c-support-oauth-2-0-client-credential-flow

如果API应用程序要同时从Web/本地应用程序和守护程序/服务器应用程序接收令牌，则必须配置API应用程序以验证来自两个令牌发行者的令牌:一个是B2C，另一个是B2C B2C租户中的Azure AD目录.

If the API app is to receive tokens from both the web/native app as well as the daemon/server app, then you will have to configure the API app to validate tokens from two token issuers: one being B2C and other being the Azure AD directory in your B2C tenant.

这篇关于使用Azure AD B2C身份验证为服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！