通过 API 授予 OAuth2 资源所有者密码 [英] OAuth2 Resource Owner Password Grant via API
问题描述
我目前正在构建一个需要 OAuth2 的 API,但找不到可以仅通过 RESTful API 在本机移动应用程序中处理单点登录的库.我发现的大多数只有一个网络弹出窗口,该项目已被否决.目前正在运行的 B2C 无法使用 ROPG.有没有办法通过使用 C#.NET 和 Azure 的另一个库轻松设置它?
I am currently building an API which requires OAuth2, but cannot find a library to use that will handle the single sign on in a native mobile app via RESTful API only. Most I've found only have a web popup, which has been vetoed for this project. B2C, which is currently functioning, is not capable of using ROPG. Is there a way to easily set this up with another library using C#.NET and Azure?
更新:
根据下面的 Fei Xue 回答尝试使用 B2C,我们已经从 Microsoft Graph 获取访问令牌.在 POST 的正文中,我们执行了以下操作:
Attempting to use B2C per Fei Xue answer below, we got to the point of getting an access token from Microsoft Graph. In the body of the POST, we did the following:
resource=https%3A%2F%2FGraph.windows.net&client_id=[B2C 设置 -应用 -AppId]&grant_type=password&username=rob%40[tenant].onmicrosoft.com&password=[password]&client_secret=[B2C 设置 - 应用程序 - 应用密钥 - client_secret]
resource=https%3A%2F%2FGraph.windows.net&client_id=[B2C Settings - Applications - AppId]&grant_type=password&username=rob%40[tenant].onmicrosoft.com&password=[password]&client_secret=[B2C Settings - Applications - App Key - client_secret]
我们的命名空间错误是由于我们尝试的用户名造成的.这是一个使用电子邮件作为用户名的 B2C 租户,这就是命名空间错误的原因.我们克服该错误的唯一方法是创建一个电子邮件地址以租户结尾的 B2C 用户,如下所示:
Our error with the namespace was due to the usernames we were trying. This is a B2C tenant using email as the username and that was the reason for the namespace error. The only way we got past that error was to create a B2C user with the email address ending in the tenant, like so:
rob@[tenant].onmicrosoft.com
rob@[tenant].onmicrosoft.com
我们现在正在获取访问令牌,但该令牌未通过我们的 azure 应用服务 api 应用进行身份验证,这是最初的目标.
We are getting an access token now, but that token does not authenticate with our azure app service api app, which was the original goal.
我们试图完成的是发送对 B2C 登录有效的用户名和密码,并获取对 api 应用程序有效的 IdToken 或访问令牌.api 应用通过为 AAD 配置的应用服务身份验证设置连接到 B2C,并使用 B2C 设置应用程序中的客户端 ID 和机密设置.
What we are trying to accomplish is to send the username and password that is valid for a B2C signin and get an IdToken or Access Token that is valid for the api app. The api app connects to B2C via App Service Authentication settings configured for AAD with the Client ID and secret setup from the B2C Settings Application.
更新:
尝试通过 graph.windows.net 令牌在我们的 Azure Web api 中进行身份验证,我们在 https 中添加://Graph.windows.net 在我们的应用服务 - 身份验证 - Active Directory 身份验证配置中允许令牌受众.
Attempting to pass through the graph.windows.net token for authentication in our Azure web api, we added in the https://Graph.windows.net allowed token audience in our App Service – Authentication – Active Directory Authentication configuration.
但是,将 Bearer 标头中的图形访问令牌传递给 API 仍然会导致
However, passing the graph access token in the Bearer header to the API still results in
此请求的授权已被拒绝".
"Authorization has been denied for this request".
发现如果我们像下面的例子一样将 Issuer Url 设为空白,它现在接受 Graph 令牌!
Found out that if we make the Issuer Url blank like in the example below, it now accepts the Graph token!
但是,这在尝试点击时会导致问题
However, this causes issues when trying to hit
https://[our_web_app].azurewebsites.net/.auth/login/aad
现在转到常见的 Microsoft 登录.以前它针对我们的 B2C 注册政策,因为发行人网址设置为:
It goes to the common Microsoft login now. Previously it directed to our B2C sign up in policy because the Issuer Url was set to:
事实上,如果我们也从我们的应用程序中提取策略(在删除颁发者 URL 之前工作)到登录策略,我们可以登录,但返回的访问令牌现在总是作为未授权返回Web API 调用.
In fact, if we also pull up the policy from within our app (which was working before removing the Issuer Url) to the sign in policy, we can sign in, but that returned Access Token now always comes back as Unauthorized in the web API calls.
发行人网址是否应该留空?
此外,由于将 Issuer Url 设置为空白,当我们使用 Header Authorization Bearer 中的 Graph 访问令牌发送请求时,服务器需要更长的时间来响应 API 调用.它从花费大约 1-2 秒(使用从 MSAL 或上面的 Web 登录获得的有效 B2C 访问令牌)到花费大约 10-15 秒来响应它是经过身份验证的请求.这种速度对我们来说是个障碍.以这种方式验证图形调用通常需要这么长时间吗?
Also, since making the Issuer Url blank, the server takes much longer to respond to API calls when we send a request using a Graph access token in the Header Authorization Bearer. It went from taking about 1-2 seconds (using a valid B2C access token obtained from MSAL or the web login above) to taking about 10-15 seconds to respond that it is an authenticated request. That kind of speed is a show stopper for us. Does validating a graph call in this manner normally take this long?
推荐答案
该功能现已提供预览版并且运行良好:
The feature is now available in preview and works pretty well:
https://docs.microsoft.com/en-us/azure/active-directory-b2c/configure-ropc
重要提示:文档中提到的 POST url 是错误的.
https://login.microsoftonline.com/{{Aad_Tenant}}/b2c_1_ropc_auth/oauth2/v2.0/
必须是:
https://login.microsoftonline.com/{{Aad_Tenant}}/oauth2/v2.0/token?p=b2c_1_ropc_auth
调用应用程序必须启用本地客户端,否则会出现此错误:
The calling application must have native client enabled, otherwise you will get this error:
AADB2C90224:尚未为应用程序启用资源所有者流.
AADB2C90224: Resource owner flow has not been enabled for the application.
这篇关于通过 API 授予 OAuth2 资源所有者密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
