如何获得对AAD下游服务令牌 [英] How to get a token for downstream service in AAD

问题描述

我有，我用<一个MVC应用程序href=\"https://msdn.microsoft.com/en-us/library/microsoft.owin.security.openidconnect.openidconnectauthenticationmiddleware(v=vs.113).aspx\"相对=nofollow> OpenIdConnectAuthenticationMiddleware 验证对AAD用户。这MVC应用程序使用需要用户的身份验证方面的几个后端服务。

I have an MVC application in which I use OpenIdConnectAuthenticationMiddleware to authenticate the user against AAD. This MVC application uses a few backend services that require the user's authentication context.

如果我在AAD分别注册这些服务，我可以用得到他们一个暗号
AuthenticationContext.AcquireTokenSilentAsync 。但AAD分别注册这些服务似乎是错误的，因为他们将要求用户同意分别向他们（他们是真正的应用程序的一部分）。

If I register these services separately in AAD, I can get a token for them using AuthenticationContext.AcquireTokenSilentAsync. But registering these services separately with AAD seems wrong as they would require the user to consent to them separately (they are really part of the application).

所以我想用JWT令牌我从AAD当用户身份验证和使用，作为承载令牌来调用下游服务。我认识到，这些服务需要有相同的观众为MVC应用程序。

So I'd like to use the JWT token I got from AAD when the user authenticated and use that as the bearer token for calling the downstream services. I realize that these services need to have the same audience as the MVC application.

但我怎么得到JWT令牌。该ClaimPrincipal的第一身份不具有引导环境。

But how do I get that JWT token. The ClaimPrincipal's first identity does not have a bootstrap context.

推荐答案

请注意，有您的服务承认令牌与同观众打开你到令牌转发攻击。我不会建议。此外，同意应以单页和一个单一的点击发生 - 因此，在用户的影响方面确实没有太大的区别。
那说。如果你是在它真正建立，您可以通过切换到真正的标志SaveSignInToken执行在bootstrapcontext令牌的presence。见

Please note that having your services admit tokens with the same audience opens you up to token forwarding attacks. I would not recommend that. Also, the consent should happen in a single page and with a single click - hence in terms of user impact there isn't really much difference. That said. If you are really set in it, you can enforce the presence of the token in the bootstrapcontext by switching to true the flag SaveSignInToken. See

app.UseOpenIdConnectAuthentication（
            新OpenIdConnectAuthenticationOptions
            {
                客户端Id =客户端ID，
                管理局=权威，
                TokenValidationParameters =新System.IdentityModel.Tokens.TokenValidationParameters {SaveSigninToken = TRUE}，
                PostLogoutRedirectUri = postLogoutRedirectUri
            }）;

app.UseOpenIdConnectAuthentication( new OpenIdConnectAuthenticationOptions { ClientId = clientId, Authority = authority, TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters{SaveSigninToken=true}, PostLogoutRedirectUri = postLogoutRedirectUri });

这篇关于如何获得对AAD下游服务令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！