使用AD Graph API从Azure AD B2C管理用户-安全访问 [英] Manage user from Azure AD B2C using AD Graph API - secure access
问题描述
我们正在构建Xamarin Native移动应用程序,并使用Azure AD B2C通过其社交登录对用户进行身份验证。
We are building a Xamarin Native mobile apps and using Azure AD B2C for authenticating users using their social logins.
我们决定使用MSAL本机库(Xamarin)进行B2C身份验证。并且我们的移动应用程序需要管理(完全访问权)已登录的用户个人资料。由于该功能在MSAL中不可用,因此我们暂时决定与ADAL一起使用。按照以下链接中提供的说明进行操作,并且该示例工作正常。但是我开始尝试删除应用程序中提供的API访问(在b2c租户中创建),并使用 Get-user参数运行该应用程序。该应用程序仍然能够从AD获取用户。不确定这件事有多安全?
We decided use MSAL native library (Xamarin) for authenticating using B2C. And our mobile app required to manage(full access) the signed-in user profile. Since this feature isn't available in MSAL we have decided to go with ADAL for the time being. Followed the instruction provided in the link below and the sample works. But I started experimenting by deleting the API access provided in the application (created in b2c tenant) and the ran the application with "Get-user" parameter. And the application is still able to get the users from AD. Not sure how secure is this thing?
然后从B2c租户应用程序中删除了应用程序密钥,并运行了控制台应用程序示例。并收到错误 AADSTS70002:验证凭据时出错。 AADSTS50012:提供了无效的客户端机密。
跟踪ID:cef09957-06bf-462e-a0c3-4ed6bae11e00
相关ID:afab126d-8694-479a-8a21-c12eb7cb176c
Then deleted the application key from the B2c tenant application and ran the console application sample. And received an error AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.
Trace ID: cef09957-06bf-462e-a0c3-4ed6bae11e00
Correlation ID: afab126d-8694-479a-8a21-c12eb7cb176c
任何想法为什么会这样。我想在xamarin.ios应用程序上实现此功能,并感谢任何指导。
Any Idea why this is happening. I would like to implement this on a xamarin.ios app and any guidance much appreciated.
推荐答案
答案类似于您其他问题的答案:使用ADAL库进行用户管理的Azure AD B2C异常访问,可以概括为:
The answer to this is very similar to the answer to your other question: Exception access Azure AD B2C using ADAL library for user management, which can be summarized as:
Azure AD B2C尚不支持对Azure AD或Microsoft Graph的委派权限。目前,此限制的解决方法是让您的本机客户端应用程序调用网络API(使用MSAL),然后依次调用Graph API(使用ADAL)。此Web API是您构建的具有授权逻辑以限制用户管理操作的API。
Azure AD B2C does not yet support delegated permissions to the Azure AD or Microsoft Graph. The correct way to work around this limitation at this time is to have your native client application call a web API (using MSAL) which would in turn call the Graph API (using ADAL). This web API is an API you build which has authorization logic to scope the user management operations.
一旦通过Microsoft Graph支持Azure AD B2C中的用户管理,您将获得不需要此API,它将能够使用委派权限(使用客户端凭据的应用程序权限)来使您的本机客户端应用程序直接与Microsoft Graph通信。在此期间,您必须按照上面的指南站立自己的Web API。
Once user management in Azure AD B2C is supported via the Microsoft Graph, you won't need this API and will be able to use delegated permissions (vs application permissions using client credentials) to have your native client application talk directly to the Microsoft Graph. In the interim, you'll have to stand up your own Web API as per the guidance above.
更新:Azure AD v2。 0终结点和Microsoft Graph API现在支持客户端凭据流,因此您也可以将MSAL用于Microsoft Graph API调用。但是,如果您需要调用Azure AD图,则仍然需要使用ADAL。
UPDATE: the Azure AD v2.0 endpoint and Microsoft Graph API now support client credentials flow, so you can also use MSAL for your Microsoft Graph API calls. However if you need to call the Azure AD Graph, then you will still need to use ADAL.
这篇关于使用AD Graph API从Azure AD B2C管理用户-安全访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
