Azure Active Directory-如何将后端API应用程序注册限制为特定的客户端应用程序注册 [英] Azure Active Directory - How to restrict Backend API App Registration to a specific client App Registration
问题描述
我可能完全不了解这是如何工作的,但这是我要实现的目标。
I could be completely off basis here on how this works, but this is what I'm looking to achieve.
在AAD中,我有
- 一个名为
backend-api的应用程序注册,代表HTTP API - 一个名为
frontend-app的应用程序注册,它代表一些客户端(比如说一个控制台应用程序) - 一个名为
另一个应用,与我的解决方案无关
- an App Registration called
backend-apithat represents an HTTP API - an App Registration called
frontend-appthat represents some client (lets say a console app) - an App Registration called
another-appthat represents nothing related to my solution
我有一个控制台应用程序在其中将我的客户ID和客户机密放入 frontend-app 中,然后我可以使用<$来请求 access_token 后端api 的c $ c> aud 。这太好了,正是我想要的。但是,如果我具有该应用程序的客户端ID和客户端密码,则可以从另一个应用程序进行相同的操作。 我要完成的是,仅允许 frontend-app 获得 access_token c $ c> backend-api 。
I have a console application where I put my client ID and client secret in for frontend-app and I can request an access_token with the aud of backend-api. This is great, exactly what I want. However, I can litterally do the same thing from another-app if I have the client ID and client secret for that app. What I would like to accomplish is that only frontend-app is allowed to get an access_token for backend-api.
我不太确定如何配置该特定要求。我以为可能需要为 allowedMemberTypes Application appRoles 条目c>在后端API 上,然后向 frontend-app 授予该角色,但对另一个应用程序。同样,我认为也许 backend-api 需要在企业应用程序下选中需要用户登录选项,但是我找不到添加
I'm not quite sure how to go about configuring that specific requirement. I thought maybe I needed to add an appRoles entry for allowedMemberTypes Application on backend-api and then grant frontend-app that role but that didn't apply any restriction to another-app. Likewise I thought maybe backend-api needed to have it's "Require User Signin" option checked under Enterprise Applications, but I couldn't find a way to add frontend-app as a "user" -- probably the wrong direction anyhow.
如何告诉AAD仅为后端API 发放 access_tokens (声明为 aud )如果仅通过 frontend-app 请求它们?也许这是一个愚蠢的问题,而且这样行不通吗?
What's the way to tell AAD to only hand out access_tokens for backend-api (aud claim) if they are being requested via frontend-app only? Maybe that's a silly question, and it just doesn't work this way?
推荐答案
您正考虑在<$ c $中添加 appRoles 条目的正确方法c> backend-api ,然后将角色专门分配给 frontend-app 。
You are on the right path with your thinking about adding appRoles entry to backend-api and then assigning the role specifically to frontend-app.
另外,请理解,强制执行此要求,即仅允许使用具有此新角色声明的应用程序,而其他应用程序则不是您的API代码的责任。
Additionally, understand that enforcing this requirement that only applications coming in with this new role claim are allowed but others aren't is a responsibility of your API code.
接下来我将介绍2种具体方法。这两种方法都在此处的Microsoft文档中进行了说明- Microsoft身份平台和OAuth 2.0客户端凭据流
I'll get to 2 specific approaches next. Both the approaches are explained on Microsoft Docs here - Microsoft identity platform and the OAuth 2.0 client credentials flow
方法1-使用应用程序权限或角色
配置您的API应用程序以公开一组应用程序权限(或角色)。
Configure your API application to expose a set of application permissions (or roles).
这种方法更具声明性,因为您定义了一个应用程序权限,该权限需要分配给可以调用您的 backend-api 的任何应用程序。
This approach is a little more declarative, as you define an application permission that needs to be assigned to any application that can call your backend-api.
导航到Azure Active Directory>应用程序注册> backend-api 应用程序的应用程序注册>清单
Navigate to Azure Active Directory > App Registrations > App registration for your backend-api app > Manifest
添加一个新的应用程序角色..使用json,如下所示:
Add a new application role.. using json like this:
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"displayName": "Can invoke my API",
"id": "fc803414-3c61-4ebc-a5e5-cd1675c14bbb",
"isEnabled": true,
"description": "Apps that have this role have the ability to invoke my backend API",
"value": "MyAPIValidClient"
}]
将应用程序权限分配给您的前端应用
Assign the app permission to your frontend app
New-AzureADServiceAppRoleAssignment -ObjectId <frontendapp.ObjectId> -PrincipalId <frontendapp.ObjectId> -Id "fc803414-3c61-4ebc-a5e5-cd1675c14bbb" -ResourceId <yourbackendapi.ObjectId>
使用客户端凭据授予(即,使用clientId和client secret)将前端应用程序认证为后端api。
Authenticate your frontend app to backend api using client credentials grant, i.e. using clientId and client secret.. as you're probably already doing.
现在,在后端api收到的身份验证令牌中,您可以检查角色声明集合必须包含名为 MyAPIValidClient的角色
Now, in the auth token received by your backend api, you can check that the role claims collection must contain a role named "MyAPIValidClient" otherwise you can reject the call with Unauthorized exception.
方法2-使用访问控制列表
当后端API收到令牌时,它可以解码令牌并从 appid 和 iss 索赔。然后,它将应用程序与其维护的访问控制列表(ACL)进行比较。
When your backend API receives a token, it can decode the token and extract the client's application ID from the appid and iss claims. Then it compares the application against an access control list (ACL) that it maintains.
根据您的要求,API可能只授予部分完全权限或所有权限以授予一个特定的客户。
Depending on your requirement, API might grant only a subset of full permissions or all permissions to a specific client.
在某些情况下,第二种方法似乎更简单,尽管我更喜欢第一种方法,因为当您具有多个应用程序权限/角色和不同级别时,它可以很好地扩展这些角色所提供的功能。
This 2nd approach may seem like a simpler one for some cases, although I like the first one better as it scales well when you have multiple application permissions/roles and different level of functionality to provide based on those roles.
相关的SO帖子和参考
Microsoft Docs- Microsoft身份平台和OAuth 2.0客户端凭据
流
Microsoft Docs - Microsoft identity platform and the OAuth 2.0 client credentials flow
这篇关于Azure Active Directory-如何将后端API应用程序注册限制为特定的客户端应用程序注册的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
