使用OpenIdConnect针对O365 Azure AD创建带有身份验证的应用程序 [英] Create Application with Authenticates against O365 Azure AD with OpenIdConnect

问题描述

我有一个要与Office 365帐户一起使用的应用程序(将是多租户).我希望使用OpenID Connect进行身份验证.我不需要常规的Microsoft帐户.

I've got an application I'm creating for use with Office 365 accounts (Will be multi-tenant). I'm looking to use OpenID Connect for authentication. I do not need regular Microsoft accounts working.

我尝试在以下位置创建应用程序: https://portal.azure.com -> Azure Active Directory->应用程序注册

I've tried creating an application at: https://portal.azure.com -> Azure Active Directory -> App Registrations

以及: https://manage.windowsazure.com -> Active Directory->应用程序

As well as: https://manage.windowsazure.com -> Active Directory -> Applications

这些似乎不适用于OpenId Connect.

These did not appear to work for OpenId Connect.

在以下位置创建应用程序: https://apps.dev.microsoft.com

Creating an app at: https://apps.dev.microsoft.com

已完成OpenId Connect的工作.

Did work for OpenId Connect.

有人可以帮助提供建议吗?

Can someone please help advise:

1. 这些不同的URL有什么区别?
2. 是否可以从在其中一个Azure站点上注册的应用程序运行OpenID Connect，以便将我所有的Azure内容集中化?

推荐答案

在 https://portal中创建新应用时.azure.com ，您的本地租户中没有为您创建的服务主体.对应用程序执行第一个授权请求时，将在本地AD租户中创建服务主体.参见 http://www.cloudidentity.com/blog/2016/10/04/provision-an-app-created-on-portal-azure-com-in-your-own-tenant/了解更多信息.

When you create a new app in https://portal.azure.com there is no service principal created for you in your local tenant. When you do the first authorize request to your app, the service principal gets created in your local AD tenant. See http://www.cloudidentity.com/blog/2016/10/04/provision-an-app-created-on-portal-azure-com-in-your-own-tenant/ for more infromation.

如果使用经典门户网站创建应用程序，则会同时创建应用程序对象和服务主体.

If you create an app using the classic portal, both the application object and the service principal are created.

为验证您的问题，我使用现代化的门户 https://portal.azure.com ，然后打开

To verify your issue I created a new app using the modern portal, https://portal.azure.com, and opened

GET https://login.microsoftonline.com/{tenant}/oauth2/authorize?
client_id={application_id}
&response_type=id_token
&redirect_uri=http%3A%2F%2Flocalhost%2F
&response_mode=form_post
&scope=openid
&state=12345
&nonce=7362CAEA-9CA5-4B43-9BA3-34D7C303EBA7

在浏览器中运行

，同时在后台运行提琴手.

in a browser while having fiddler running in the background.

注意:将{tenant}，{application_id}和redirect_uri替换为您的Azure AD租户ID(GUID)和应用程序ID(也是GUID). state和nonce是必需的，但可以具有任何值.

Note: replace {tenant}, {application_id} and the redirect_uri with your Azure AD tenant id (guid) and your application ID (also a guid). state and nonce are required but can have any value.

在浏览器中打开URL时，它将首先要求用户同意该应用程序，如果成功，请使用id_token回发到redirect_uri.

When you open the URL in a browser, it will first ask the user to consent the app, and if successful make a postback to the redirect_uri with id_token.

请参见 https://有关执行OpenID Connect请求的更多信息，请访问azure.microsoft.com/zh-cn/documentation/articles/active-directory-protocols-openid-connect-code/.

您还可以使用 https://apps.dev.microsoft.com 创建一个新应用.如果要利用v2.0端点和身份验证协议，则应使用此页面注册新的应用程序.请参阅 https://azure.microsoft.com/en -us/documentation/articles/active-directory-v2-limitations/了解更多信息.

You can also create a new app using https://apps.dev.microsoft.com. You should use this page to register new apps if you want to take advantage of the v2.0 endpoint and authentication protocol. See https://azure.microsoft.com/en-us/documentation/articles/active-directory-v2-limitations/ for more information.

这篇关于使用OpenIdConnect针对O365 Azure AD创建带有身份验证的应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！