使用 Adal 代表用户访问 Azure KeyVault [英] Using Adal for accessing the Azure KeyVault on behalf of a user

问题描述

以下是控制台应用程序和 ClientID，RedirectUri 来自天蓝色活动目录中创建的本机应用程序.

The following is in a console application and ClientID, RedirectUri is from the created native app in azure active directory.

var authContext = new AuthenticationContext(string.Format("https://login.windows.net/{0}","common"),new FileCache());
var token = authContext.AcquireToken("https://management.core.windows.net/", ClientID, RedirectUri, PromptBehavior.Auto);

我现在有了与管理 api 对话的令牌.

I now have the token for talking with management api.

 using (var client = new KeyVaultManagementClient(new TokenCloudCredentials(SubscriptionId, token.AccessToken)))
 {
     var a = client.Vaults.List(resourceGroup, 10);
     foreach(var vault in a.Vaults)
     {
           var vaultInfo = client.Vaults.Get(resourceGroup, vault.Name);
           Console.WriteLine(JsonConvert.SerializeObject(vaultInfo.Vault, Formatting.Indented));
           //Verifying that the AccessPolicies contains my object id (pasting idtoken into jwt.io and compare with oid claim) Success.

           // Now its time to talk with keyvault
           var keyvault = new KeyVaultClient(GetAccessTokenAsync);
           var secrets = keyvault.GetSecretsAsync(vaultInfo.Vault.Properties.VaultUri).GetAwaiter().GetResult();

     }

 }


 private static Task<string> GetAccessTokenAsync(string authority, string resource, string scope)
 {
         var context = new AuthenticationContext(authority, new FileCache());
        var result = context.AcquireToken(resource, new ClientCredential(AppClientId,AppKey));

        return Task.FromResult(result.AccessToken);

 }

上述方法可行，但需要我在我的 AD 上创建一个可以与密钥库对话的单独应用.我想使用自己的 ID 与 keyvault 交谈，但我不知道如何获取 keyvault 客户端所需的访问令牌.

Above works but require me to create a separate app on my AD that can talk with the keyvault. I would like to use my own ID to talk with keyvault, but I cant figure out how to get the access token that the keyvault client require.

我是否需要更新 azure manuel 上的清单并添加允许我的控制台应用程序代表用户获取 keyvault 的令牌?需要在 GetAccessTokenAsync 中更改哪些代码才能使其工作.

Do i need to update the manifest on azure manuel and adding that my console app is allowed to get a token on behalf of users to keyvault? What code is needed to be changed in GetAccessTokenAsync to make it work.

我已尝试仅从公共端点的初始令牌请求中为其提供访问或 ID 令牌.有人对如何代表我自己的 id 而不是应用程序与 azure key vault 交谈有什么建议吗?

I have tried giving it just the access or id tokens from the initial token request from the common endpoint. Do anyone have some suggestions on how to talk to azure key vault on behalf of my own id and not an app?

所以查看标题我发现我的令牌缺少 vault.azure.net 作为资源，因此尝试:

So looking at headers i found out my token was missing vault.azure.net as resource and therefore trying:

var testtoken = authContext.AcquireToken("https://vault.azure.net", ClientID, RedirectUri);

给出以下错误:

AADSTS65005:客户端应用程序已请求访问资源'https://vault.azure.net'.此请求失败，因为客户端尚未在其 requiredResourceAccess 列表中指定此资源.

AADSTS65005: The client application has requested access to resource 'https://vault.azure.net'. This request has failed because the client has not specified this resource in its requiredResourceAccess list.

并查看当前清单:

"requiredResourceAccess": [
    {
      "resourceAppId": "797f4846-ba00-4fd7-ba43-dac1f8f63013",
      "resourceAccess": [
        {
          "id": "41094075-9dad-400e-a0bd-54e686782033",
          "type": "Scope"
        }
      ]
    },
    {
      "resourceAppId": "00000002-0000-0000-c000-000000000000",
      "resourceAccess": [
        {
          "id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
          "type": "Scope"
        }
      ]
    }
  ],

我如何知道 keyvault 的范围和 resourceAppId 使用哪些 guid?

How do i know what guids to use for scope and resourceAppId for the keyvault?

在我知道如何获取 resourceAppId 和相关信息之前，我一直在使用模拟 powershell 工具的旧技巧.

Until i know how to get the resourceAppId and related information I am using the old trick of impersonating the powershell tools.

 var vaultToken = authContext.AcquireToken("https://vault.azure.net", "1950a258-227b-4e31-a9cf-717495945fc2", new Uri("urn:ietf:wg:oauth:2.0:oob"));
 var keyvault = new KeyVaultClient((_, b, c) => Task.FromResult(vaultToken.AccessToken));    
 var secrets = keyvault.GetSecretsAsync(vaultInfo.Vault.Properties.VaultUri).GetAwaiter().GetResult();

来源:http://www.s-innovations.net/Blog/2014/02/12/Controlling-the-login-flow-when-using-ADAL-for-WAML在使用 powershells clientid 之前，还请阅读博客文章中的@bradygaster 评论.

source: http://www.s-innovations.net/Blog/2014/02/12/Controlling-the-login-flow-when-using-ADAL-for-WAML Please also read @bradygaster comment at the blog post before using the powershells clientid.

推荐答案

你在正确的轨道上！您需要将 AAD 配置为能够专门授权用户访问 KeyVault.尝试将以下内容添加到您的清单中.

You're on the right track! You need to configure AAD to be able to authorize users specifically for access to KeyVault. Try adding the following to your manifest.

{
      "resourceAppId": "cfa8b339-82a2-471a-a3c9-0fc0be7a4093",
      "resourceAccess": [
        {
          "id": "f53da476-18e3-4152-8e01-aec403e6edc0",
          "type": "Scope"
        }
      ]
}

如果这不起作用，您可以通过访问 旧门户 以老式方式执行此操作，导航到 AAD、您的 AAD 租户、您的应用程序，并在配置"选项卡的对其他应用程序的权限"部分下添加Azure Key Vault".

If that doesn't work, you can do this the old-fashioned way by visiting the old portal, navigating to AAD, your AAD Tenant, your application, and adding "Azure Key Vault" under the "permissions to other applications" section of the "Configure" tab.

这篇关于使用 Adal 代表用户访问 Azure KeyVault的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！