使用客户端凭据流在 Azure AD 中以编程方式添加应用程序 [英] Adding Applications programmatically in Azure AD using Client Credentials Flow
问题描述
为了与 Azure API 管理一起使用,我尝试以编程方式将应用程序添加到 Azure Active Directory (AAD),在我的例子中是使用图形 API.
For use with the Azure API Management, I am trying to add Applications to an Azure Active Directory (AAD) programmatically, in my case by using the Graph API.
我的场景如下:为了保护我想使用 Azure API 管理管理的 Web API,我想利用 AAD 的 OAuth 功能来完成有关身份验证和颁发 JWT 令牌的繁重工作,然后只需使用验证-jwt 策略来验证 Azure API 管理中的一切正常.这样做的好处是我可以或多或少地省略后端服务中的身份验证.
My scenario is the following: In order to secure a Web API I want to manage with Azure API Management, I want to leverage AAD's OAuth functionality to do the heavy lifting regarding authentication and issuing JWT Tokens, and then just use the validate-jwt policy to verify everything is okay in Azure API Management. This has the advantage I can more or less omit authentication in my backend service.
只要我在 Azure AD 中为消费 Web 应用程序创建了一个应用程序,这就可以正常工作,但这必须从 Azure 门户手动完成;Azure APIm 不会自动执行此操作.
This works fine, as long as I have created an application in the Azure AD for the consuming web application, but this has to be done manually from the Azure Portal; Azure APIm does not do it automatically.
现在,我想自动完成任务:我想将 APIm 中的 API 订阅委托给我正在编写的其他 Web 应用程序,然后我想利用 Graph API 创建一个应用程序在 Azure AD 中并授予对 API 应用程序的权限.
Now for what I am trying to do to get the done automatically: I wanted to delegate the subscription to APIs in APIm to some other web app I am writing, and from there I want to leverage the Graph API to create an Application in the Azure AD and grant permissions to the Application of the API.
我尝试做的第一件事是让第三个应用程序(我的服务应用程序)拥有对 Azure AD 中的 Windows Azure Active Directory 应用程序的完全应用程序权限;这让我的应用程序可以使用 Graph REST API 访问 AAD.我设法使用 client_credentials 授权(来自 login.microsoft.com)获得访问令牌,但此令牌不允许我在 https://graph.windows.net 上执行 :POST/(我的 AAD ID)/applications?api-version=1.5
The first thing I tried to do was to have a third application (my service application) to have full application permissions to the Windows Azure Active Directory application in the Azure AD; this lets my application access AAD using the Graph REST API. I manage to get an Access Token using the client_credentials grant (from login.microsoft.com), but this Token does not let me do a POST on https://graph.windows.net/(my AAD ID)/applications?api-version=1.5:
{
"odata.error": {
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
}
}
}
我发现 (https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes),即使我授予 Directory.ReadWrite.All 权限,应用程序(仅限应用程序)将无法创建或更新应用程序:
I found (https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes) that even if I grant the Directory.ReadWrite.All permission, the application (app-only) will not be able to create or update Applications:
注意:特别排除上面未列出的实体的创建或更新.这包括:应用程序、Oauth2PermissionGrant、AppRoleAssignment、设备、ServicePrincipal、TenantDetail、域等
Note: Specifically excludes create or update for entities not listed above. This includes: Application, Oauth2PermissionGrant, AppRoleAssignment, Device, ServicePrincipal, TenantDetail, domains, etc.
我接下来尝试的是资源所有者密码授予 (grant_type=password),另外传递我自己的凭据,以便我可以在 Graph API 中模拟自己.现在,我到 applications 端点的 POST 成功.
The next thing I tried was the Resource Owner Password Grant (grant_type=password), passing my own credentials additionally, so that I can impersonate myself in the Graph API. Now, my POST to the applications end point succeeds.
我的基本问题是:我能否向我的应用程序授予足够的权限,以便我可以使用客户端凭据流以编程方式添加应用程序,而不是任何代表用户操作的流?如果是这样,它是如何完成的?
My bottom-of-the-line question is: Can I grant sufficient permissions to my application so that I can add applications programmatically using the client credentials flow, and not any flow which acts on behalf of a user? And if so, how is it done?
推荐答案
对不起,唐.我们目前没有可用于创建应用程序或服务主体或创建任何 oauth2 权限授予(或您通过目录在上面提到的任何其他实体)的客户端凭据流(仅限应用程序)的任何权限范围.读写.所有权限).我们正在开发额外的仅限应用的权限,让您能够点亮这个场景,但我没有可以给您的预计到达时间.
Sorry Don. We don't currently have any permission scopes for the client credential flow (app-only) that can be used to create applications or service principals or create any oauth2 permission grants (or any of the other entities that you mentioned above through the Directory.ReadWrite.All permission). We are working on additional app-only permissions that will enable you to light up this scenario, but I don't have an ETA that I can give you.
如果您使用应用程序+用户(代码流)并授予应用程序 Directory.AccessAsUser.All 权限,则此操作应该是可能的 - 只要有用户使用您的应用程序并且他们是租户管理员.不确定这是否是您可以接受的解决方法(我猜这与您使用的密码流程类似 - 尽管我建议您使用此处的代码流程).
This operation should be possible if you use the app+user (code flow) and grant the app the Directory.AccessAsUser.All permission - as long as there is a user using your app AND that they are a tenant admin. Not sure if this is an acceptable workaround for you (and I guess is similar to what you are using with the password flow - although I would recommend you use the code flow here).
更新:我们为 AAD Graph 添加了一些新的仅限应用的权限.Application.ReadWrite.OwnedBy(它允许一个应用程序创建/拥有另一个应用程序——但只更新它创建的应用程序——它不能接触它不拥有的任何其他应用程序)和 Application.ReadWrite.All(它允许应用创建/管理租户中的所有应用).好像第一个比较合适.您可以在 AAD 的 Azure 门户中看到这些显示图资源.
UPDATE: There are a couple of new app only permissions we added for AAD Graph. Application.ReadWrite.OwnedBy (which allows an app to create/own another app - but only update the apps it created - it won't be able to touch any other apps it doesn't own) AND Application.ReadWrite.All (which allows an app to create/manage ALL apps in a tenant). Seems like the first one would be appropriate. You can see these show in the Azure Portal for the AAD Graph resource.
这篇关于使用客户端凭据流在 Azure AD 中以编程方式添加应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
