使用id_token对Azure广告保护的应用程序进行身份验证 [英] authentication to azure ad protected app using id_token

问题描述

我有两个应用程序服务，均使用通过azure门户配置的azure广告身份验证来保护.

I have two app services both protected using azure ad authentication configured from azure portal.

前端应用程序服务被编写为有角度的.我遵循的身份验证方法如下.

The front end app service is written angular. and the authentication method i follow is as follows.

1. 加载有角度的应用程序.将get请求发送到.auth/me，这将向我返回id_token，据我了解，这是我的auth令牌.
2. 我存储了此令牌，然后将此令牌作为"Authorization:Bearer"(授权:承载***)转发到标头中到我的第二个应用程序服务api

但是我观察到，也许第二个应用服务广告允许令牌首次加载.不一致，并始终显示401个未经授权的错误.即使在使用2-3分钟之内.

However i am observing , that maybe second app service ad allows token first load. it is inconsistent and gives 401 unauthorized errors all the time. even within 2-3 mins of usage.

我不确定使用id_token是否正确，还是需要使用其他令牌.

I am unsure if it's the right way to use id_token or another token needs to be used..

推荐答案

您混淆了您应该在这里使用的是访问令牌.

What you should use here is access token.

此场景中您的后端应用受Web API的保护.

You backend app is protected web API in this scene.

根据adp的建议，您需要遵循

As adp suggested, you need to follow the specific information:

您的应用注册必须至少公开一个范围或一个范围 应用程序角色.范围由调用的Web API公开 代表用户.

Your app registration must expose at least one scope or one application role. Scopes are exposed by web APIs that are called on behalf of a user.

应用程序角色由守护程序调用的Web API公开 应用程序(代表您自己调用Web API).

Application roles are exposed by web APIs called by daemon applications (that calls your web API on their own behalf).

如果您创建新的Web API应用注册，请选择访问令牌 您的Web API接受的版本为2.对于旧版Web API， 接受的令牌版本可以为null，但是此值限制了 仅向组织和个人Microsoft的用户登录 帐户(MSA)将不受支持.

If you create a new web API app registration, choose the access token version accepted by your web API to 2. For legacy web APIs, the accepted token version can be null, but this value restricts the sign-in audience to organizations only, and personal Microsoft accounts (MSA) won't be supported.

Web API的代码配置必须验证使用的令牌 当调用Web API时.

The code configuration for the web API must validate the token used when the web API is called.

控制器动作中的代码必须验证角色或作用域 在令牌中.

The code in the controller actions must validate the roles or scopes in the token.

有一个

There is a sample in Github.

要使用Azure AD保护API，您需要注册两个Azure AD应用程序，一个用于客户端应用程序(前端)，另一个用于API应用程序(后端).

To protect your API with Azure AD, you need to register two Azure AD apps, one is for client app (front) and the other is for API app (backend).

在API应用中，您需要

In the API app, you need to expose API. By doing step 7 and step 8, you can expose the scope.

然后，您需要

Then you need to configure the client app. With step 8 here, you can add the permission (scope) which is exposed by API app to the client app.

使用MSAL请求访问令牌，其中包括此权限(范围).您可以在代码中进行验证.如果您希望获得许可，则允许客户端访问您的API.

Use MSAL to request the access token, which includes this permission (scope). You can verify it in your code. If the permission is what you expected, the client is allowed to access your API.

这篇关于使用id_token对Azure广告保护的应用程序进行身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！