Azure AD OAuth客户端凭据授予流 [英] Azure AD OAuth Client Credentials Grant flow

问题描述

尝试为我的Web api设置Azure AD OAuth客户端凭据授予流程.我正在

Trying to set up Azure AD OAuth client credentials grant flow for my web api. I'm following the document in https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow. I have to expose my API to a 3rd party. I've created the APP in Azure AD (this is for the client that is requesting my API), generated the secrets and was able to get a response from oauth2/token endpoint. My questions are below:

1. 验证令牌的最佳方法是什么?是通过JWT吗(承载者令牌)作为我的API的HTTP标头，然后使用SDK来验证令牌(System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler)吗?我正在使用C#.

2. Azure AD的意义-> App Registrations->我的API应用"->管理"下的公开API?"，它具有以下选项:授权客户端应用程序".我如何使用此功能有条件地阻止和批准客户端应用程序吗?

1. What is the best way to validate the token? Is it by passing the JWT (bearer token) as a HTTP header to my API, and then using the SDK to validate the token (System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler)? I'm using C#.

2. What is the significance of Azure AD -> App Registrations -> "My API App" -> under Manage, Expose an API? It has an option to "Authorize client applications". How could I use this feature to conditionally block and approve the client applications?

推荐答案

您在正确的轨道上.

此答案， Azure AD带有Web API AuthorizeAttribute Roles 的OAuth客户端凭据授予流程将引导您完成一种方法，使用令牌中的 roles 声明对呼叫进行授权.

This answer, Azure AD OAuth client credentials grant flow with Web API AuthorizeAttribute Roles, will walk you through one way to do this, using the roles claim in the token to authorize the call.

您将需要:

• 定义角色
为每个第三方
• 创建一个应用注册
• 将他们的应用分配给您想要的角色

然后，您可以使用 AuthorizeAttribute 映射哪些角色可以执行哪些控制器/动作，如下所示:

You can then use the AuthorizeAttribute to map which roles can execute which controllers/actions, like so:

[Authorize(Roles = "Reader,Requester,Editor,Approver,Administrator")]

这篇关于Azure AD OAuth客户端凭据授予流的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！