带有单页应用程序和ASP.Net核心Web API的Azure AD:如何访问所有相关令牌? [英] Azure AD with Single Page Application and ASP.Net core web api: how to access all relevant tokens?
问题描述
我们的应用程序是带有ASP.Net Core Web API的Angular SPA.身份由Microsoft身份平台(Azure AD)提供,身份验证由同一身份提供.授权基于Web API完成应用程序角色" .这些应用角色"包括:存放在Azure AD目录中(在应用程序的清单中定义,并在租户域上分配给用户).
Our application is an Angular SPA with ASP.Net Core Web API. The identity is provided by Microsoft Identity Platform (Azure AD) and authentication is provided by the same. The authorization is done in Web API basis "Application Roles". These "Application Roles" are held in the Azure AD directory (defined in the Application's manifest and assigned on the tenant domain to users).
Angular SPA根据这些说明.发出的相关令牌是:用于我的Web API的 AccessToken (遵循这些说明)和包含应用程序角色"的 IdToken 根据 roles 声明(一旦分配了角色,该ID令牌似乎会自动包含在内).
The Angular SPA receives the tokens from Azure, as per these instructions. The relevant tokens that are issued are: an AccessToken for my Web API (following these instructions), an AccessToken for calling Graph API (following the same instructions) and an IdToken that includes the "Application Roles" as roles claim (this id token seems to be included automatically once roles have been assigned).
我面临的问题是我需要将并发令牌传递给Web API,但是使用HTTP拦截器时,标头请求中只能包含1个令牌.例如,我需要第一个 AccessToken 来证明对Web API的身份验证,并且需要包含 IdToken ,以便Web API可以执行授权.
The problem I face is that I need to pass concurrent tokens to my Web API, but with the HTTP interceptor I can only include 1 token in the header request. For example, I need the first AccessToken to proof authentication to the Web API and I need to include the IdToken such that the Web API can perform authorization.
问:,当这些令牌都发行给SPA并且需要包含在对Web API的HTTP调用中时,如何使用多个令牌调用Web API?
Q: How can I call my Web API with multiple tokens, when these tokens are all issued to the SPA and need to be included in the HTTP call to my Web API?
推荐答案
无论您是否要获取Microsoft Graph数据,用于获取应用程序角色的方式都是不正确的.
No matter whether you want to get Microsoft Graph data, the way you used to get Application role is incorrect.
ID令牌不能用于对您的Web API应用程序执行授权.您必须使用访问令牌.请参阅此 answer 了解ID令牌和访问令牌的用法.
An id token cannot be used to perform authorization for your Web API application. You have to use access token. See this answer to learn about the usage of id token and access token.
因此,您必须使用访问令牌而不是id令牌.
So you have to use an access token rather than id token.
在这种情况下,您可以在代表Angular SPA(前端)的Azure AD应用程序中配置应用程序角色.
In this case, you configure the app roles in the Azure AD app which represents Angular SPA (the front).
实际上,您应该在代表ASP.Net Core Web API(后端)的Azure AD应用程序中配置应用程序角色.然后,您可以获取应用程序角色".作为Web API的AccessToken中的 roles 声明.
In fact, you should configure the app roles in the Azure AD app which represents ASP.Net Core Web API (the backend). Then you can get the "Application Roles" as roles claim in the AccessToken for your Web API.
这篇关于带有单页应用程序和ASP.Net核心Web API的Azure AD:如何访问所有相关令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
