访问认证的Azure API APP [英] Accessing authenticated Azure API APP

问题描述

我有我已经设置为使用Azure的AD身份验证的Azure API应用程序。
像这样：

I have an Azure API APP that I have set up to use Azure AD authentication. Like so:

我也有具有生成的客户端API来我的API APP这样的控制台应用程序：

I also have a console app that have a generated client API to my API APP like this:

如果我禁用了API APP认证，我可以从我的控制台应用程序调用API。
如果我能在Azure AD认证，客户端无法调用API，由于未授权的例外，这是ofcourse的预期。

If I disable the authentication on the API APP, I can call the API from my console app. If I enable the Azure AD authentication, the client can not call the API due to "not authorized" exception, which is ofcourse expected.

我都找遍了，以找到如何提供正确类型的凭据API的任何信息的地方。
有一个 client.Credentials 属性，可以是 TokenCredentials 或 BasicAuthenticationCredentials

I have searched all over the place to find any information on how to supply credentials of the correct type to the API. There is a client.Credentials property that can be either TokenCredentials or BasicAuthenticationCredentials

什么是通过Azure的AD如果我对AD用户的用户名和密码来验证客户端的正确方法？

What would be the correct way to authenticate the client through the Azure AD if I have username and password for the AD user?

我无法找到的任何的文件，涉及到自动生成的API客户端在Azure SDK。

I am unable to find any documentation that relates to the auto generated API clients from the Azure SDK.

从@chrisgillum答复导致对如何做到这一点的文章：

The reply from @chrisgillum leads to an article on how to do this:

internal class Program
{
    [STAThread]
    private static void Main(string[] args)
    {
        var uri = new Uri("https://ro....azureapp.azurewebsites.net");
        var client = new LearningAzure(uri);
        client.HttpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer",
            ServicePrincipal.GetS2SAccessTokenForProdMSA().AccessToken);
        var res = client.Foo.GetById(123);
    }
}


public static class ServicePrincipal
{
    // The _authority is the issuer URL of the tenant.
    private static readonly string _authority = "https://login.windows.net/ro....ouse.onmicrosoft.com";

    // The _resource is the Client ID of the "data web api" AAD app.
    private static readonly string _resource = "b8b0.....8e3623d";

    // The Client ID of the "client" AAD app (i.e. this app).
    private static readonly string _clientId = "d25892.....33a0";

    // The key that was created for the "client" app (i.e. this app).
    private static readonly string _clientSecret = "??????";

    public static AuthenticationResult GetS2SAccessTokenForProdMSA()
    {
        return GetS2SAccessToken(_authority, _resource, _clientId, _clientSecret);
    }


    /// <summary>
    ///     Gets an application token used for service-to-service (S2S) API calls.
    /// </summary>
    private static AuthenticationResult GetS2SAccessToken(string authority, string resource, string clientId,
        string clientSecret)
    {
        // Client credential consists of the "client" AAD web application's Client ID
        // and the key that was generated for the application in the AAD Azure portal extension.
        var clientCredential = new ClientCredential(clientId, clientSecret);

        // The authentication context represents the AAD directory.
        var context = new AuthenticationContext(authority, false);

        // Fetch an access token from AAD.
        var authenticationResult = context.AcquireToken(
            resource,
            clientCredential);
        return authenticationResult;
    }
}

的 _clientSecret 我如何获得这一个？
在我的Azure AD配置的客户端应用程序没有任何选项生成一个秘密。

The _clientSecret how do I get this one? The client app configured in my Azure AD does not have any options to generate a secret.

发布的Web应用程序可以，但是我的自定义创建本机应用程序只有在配置页面上的客户端ID。
想法？

Published web apps can, but my custom created native app only has a client Id on the configure page. Ideas?

推荐答案

要得到一个控制台应用程序凭据，如果你是提示用户登录，就可以使用他们的凭据获得的令牌。否则，你需要使用一个客户端应用程序键（这是一个客户端应用程序的URI和匹配API密钥）来获取令牌。

To get credentials on a console app, if you are prompting for a user login, you can use their credentials to acquire a token. Otherwise, you need to use a Client App Key (which is a client App URI and matching API key) to acquire a token.

Uri aadUri = new Uri(_settings.AadUri);
Uri authorityUri = new Uri(aadUri, _settings.TenantUri);
string authority = authorityUri.ToString();

AuthenticationResult authorizationResult;
var authenticationContext = new AuthenticationContext(authority, new TokenCache());

var clientCredential = new ClientCredential(_settings.ClientId, _settings.AppKey);
authorizationResult = authenticationContext.AcquireToken(_settings.AppIdUri, clientCredential);

您还需要确保你的应用程序的URI是清单的服务端点（或以某种方式规定给您的应用程序在蔚蓝的访问Azure的广告）。

You also need to make sure your app URI is in the manifest for the service endpoint (or somehow provisions to give your app in azure access to the Azure AD).

这篇关于访问认证的Azure API APP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！