使用ADAL库进行用户管理的Azure AD B2C异常访问 [英] Exception access Azure AD B2C using ADAL library for user management

问题描述

由于Microsoft Graph API不具有管理B2C AD用户的功能，因此我们要求其中一份文档使用ADAL，这需要在Azure AD B2C租户中创建特殊应用程序。

 创建了一个应用程序密钥以提供从xamarin.ios应用程序的API访问。AuthenticationContext authContext = new AuthenticationContext（authority）; 
凭证=新的ClientCredential（clientId，GraphClientSecret）; 
 authResult =等待authContext.AcquireTokenAsync（graphResourceUri，凭证）; 
  

在AcquireTokenAsync调用中，我们遇到了例外情况

  AcquireTokenHandlerBase.cs：System.NullReferenceException：对象引用未设置为Microsoft.IdentityModel.Clients.ActiveDirectory.BrokerHelper.get_CanInvokeBroker（）中的对象实例，< 786d1e888b334ad993ac80d2bc3b6e92>：0 
 at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase +< RunAsync> d__55.MoveNext（）[0x00389] in< 97581c6894a642ef95d008cded8ad4ac< / pre> 
 
 
如果我将该调用更改为删除凭据，则只会看到一个登录屏幕。 
 
 
 
使用的软件包：
 
 
 
样本取自文档示例 
 
 
 
任何帮助将不胜感激。 
解决方案
 您不应使用来自本地客户端应用程序的客户端凭据调用Graph API （例如Xamarin / iOS应用）。 这是一个巨大的安全漏洞。客户端应用程序本质上是不安全的，任何人都可以反映代码并掌握您的client_id和client_secret的内容，它们可用于在Azure AD B2C租户中创建/更新/删除用户。
 
 
 
 您的本机客户端应用程序应调用一个Web API，该Web API将依次调用Graph API。此Web API（链接至示例）是您构建的API，具有授权逻辑来限制用户管理操作。
 
 
 
一旦通过Microsoft Graph和MSAL支持Azure AD B2C中的用户管理，您将不需要此API，并且将能够使用委托权限（与使用客户端的应用程序权限相比）凭据）以使您的本机客户端应用程序直接与Microsoft Graph通信。在此期间，您必须按照上述指南建立自己的Web API。
 
Since Microsoft Graph API doesn't have the feature to manage B2C AD Users, from one of the docs we have been asked to use ADAL which required to create a special application in the Azure AD B2C tenant. Created an application key to provide API access from the xamarin.ios app.
 AuthenticationContext authContext = new AuthenticationContext(authority);
            credential = new ClientCredential(clientId, GraphClientSecret);
            authResult = await authContext.AcquireTokenAsync(graphResourceUri, credential);
At the AcquireTokenAsync call we are getting an exception
 AcquireTokenHandlerBase.cs: System.NullReferenceException: Object reference not set to an instance of an object at Microsoft.IdentityModel.Clients.ActiveDirectory.BrokerHelper.get_CanInvokeBroker () [0x0000c] in <786d1e888b334ad993ac80d2bc3b6e92>:0 
  at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase+<RunAsync>d__55.MoveNext () [0x00389] in <97581c6894a642ef95d008cded8ad4ac>:0 
If I change that call to removing the credentials, I just get a login screen. 

Packages used:  

Sample was taken from Sample from Docs

Any help would be greatly appreciated. 
解决方案
You should NOT call the Graph API using Client Credentials from a native client application (such as a Xamarin/iOS app). This is a HUGE security hole. Client applications are inherently insecure, anyone can reflect the code and grab a hold of your client_id and client_secret which they can use to create/update/delete users in your Azure AD B2C tenant.

Your native client application should call a web API which would in turn call the Graph API. This web API (link to sample) is an API you build which has authorization logic to scope the user management operations.

Once user management in Azure AD B2C is supported via the Microsoft Graph and MSAL, you won't need this API and will be able to use delegated permissions (vs application permissions using client credentials) to have your native client application talk directly to the Microsoft Graph. In the interim, you'll have to stand up your own Web API as per the guidance above.

                        
这篇关于使用ADAL库进行用户管理的Azure AD B2C异常访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！