在ASP.NET Core 2.0中授权一项应用程序服务与另一项应用程序服务(无用户交互) [英] Authorize one app service from another (no user interaction) in ASP.NET Core 2.0

问题描述

我在面向Internet的Azure(PubWeb)中有一个Web API应用程序，因此可以在任何地方使用它.我创建了一个Web API(再次在Azure中，我们称其为InWeb).我想要严格的安全规则:

I have a Web API app in Azure facing internet (PubWeb), so it's used from anywhere. And I created a Web API (again, in Azure, let's call it InWeb). And I want strong security rules:

1. InWeb必须仅由PubWeb使用.这可能涉及一些网络安全性-这是一个简单的部分(在Azure中).
2. PubWeb必须获得Azure AD的某种授权才能使用InWeb服务.想到服务主体，证书等.但是我不确定.

那么2的最佳解决方案是什么?

So what's the best possible solution for 2?

更新-这是InWeb Core 2.0身份验证设置:

UPDATE - here's InWeb Core 2.0 Auth setup:

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication(sharedOptions =>
    {
        sharedOptions.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
    })
    .AddAzureAdBearer(options => Configuration.Bind("AzureAd", options));

    services.AddMvc(options => { options.InputFormatters.Add(new TextPlainInputFormatter()); });
}

推荐答案

您将不得不将两个API都注册为Azure AD中的应用程序.这可以通过Azure Active Directory刀片服务器的应用程序注册来完成.

You will have to register both APIs as applications in Azure AD. This can be done from the Azure Active Directory blade's App registrations.

现在，我假设未使用Azure AD承载令牌对对PubWeb的调用进行身份验证.这意味着您唯一的选择是在调用InWeb时使用应用程序权限和客户端凭据授予.

Now I assume the calls to PubWeb are not authenticated with Azure AD bearer tokens. That means your only option is to use application permissions and the client credentials grant when calling InWeb.

要定义应用程序许可权，必须在InWeb的清单中添加应用程序角色".您可以通过单击Azure AD中InWeb应用程序刀片中的清单"按钮来打开清单.

To define an application permission, you must add an "app role" to InWeb's manifest. You can open the manifest by clicking the Manifest button in the InWeb application's blade in Azure AD.

以下是示例应用角色:

"appRoles": [
{
  "allowedMemberTypes": [
    "Application"
  ],
  "displayName": "Read all things",
  "id": "32028ccd-3212-4f39-3212-beabd6787d81",
  "isEnabled": true,
  "description": "Allow the application to read all things as itself.",
  "value": "Things.Read.All"
}
],

您应该为其生成一个新的ID，并将显示名称和描述设置为所需的任何名称. 值是PubWeb调用InWeb时令牌中将出现的值.

You should generate a new id for it, and set the display name and description to whatever you want. The value is what will be present in the token when PubWeb calls InWeb.

现在，您必须转到PubWeb的刀片服务器，然后转到必需"权限.

Now you have to go PubWeb's blade, and go to Required permissions.

必须在其中添加->选择InWeb->勾选刚定义的应用程序权限.

There you must go to Add -> Select InWeb -> Tick the application permission you just defined.

然后单击授予权限.现在PubWeb有权调用InWeb.

And then click Grant permissions. Now PubWeb has rights to call InWeb.

您还需要为PubWeb生成密钥/客户端机密.那实际上是它的密码.您还将需要PubWeb的客户端ID/应用ID.

You will also need to generate a key/client secret for PubWeb. That is essentially its password. You will also need the client id/application id of PubWeb.

您还将需要InWeb的应用程序ID URI .您可以在Azure AD的刀片中的属性"中找到它.这将是资源，我们将从PubWeb获得令牌.

You will also need the App ID URI of InWeb. You can find it from its Properties in its blade in Azure AD. This will be the resource we will acquire a token for from PubWeb.

您还将需要您的Azure AD的ID.您可以从主Azure AD刀片服务器的属性"中找到它.

You will also need your Azure AD's id. You can find it from Properties in the main Azure AD blade.

现在要获取令牌，您需要使用OAuth2客户端凭据授予流程.最简单的方法是使用类似ADAL的库: https://docs.microsoft.com/zh-CN/azure/active-directory/develop/active-directory-authentication-libraries .

Now to get the token, you need to use the OAuth2 client credentials grant flow. Easiest way is to use a library like ADAL: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-libraries.

如果要手动执行此操作，可以在以下HTTP调用中找到详细信息:

If you want to do it manually, you can find detailed info on the HTTP call here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service#service-to-service-access-token-request

它看起来像这样:

POST /contoso.com/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&client_id=625bc9f6-3bf6-4b6d-94ba-e97cf07a22de&client_secret=qkDwDJlDfig2IpeuUZYKH1Wb8q1V0ju6sILxQQqhJ+s=&resource=https%3A%2F%2Fservice.contoso.com%2F

将客户端ID设置为PubWeb的客户端ID，并将客户端密钥设置为PubWeb的客户端密钥.该资源应为InWeb的App ID URI.

Set the client id to PubWeb's client id, and the client secret to PubWeb's client secret. The resource should be the App ID URI of InWeb.

您应该收到一个访问令牌作为响应，您需要将其附加到您在InWeb上进行的请求作为标头:

You should receive an access token in response, which you will need to attach to request's you make to InWeb as a header:

Authorization: Bearer access-token-here

现在，当然，InWeb还必须对令牌进行身份验证.这是一个.NET示例应用程序(也有其他示例):

Now of course InWeb will also have to authenticate the token. Here is a .NET example app (there are examples for others too): https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-oauth2-appidentity/blob/master/TodoListService/App_Start/Startup.Auth.cs

该项目实际上还具有一个使用客户端凭据流调用API的客户端:

That project actually also has a client calling the API with the client credentials flow: https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-oauth2-appidentity/blob/master/TodoListWebApp/Controllers/TodoListController.cs#L95.

很抱歉，回答冗长，我想补充一点细节:)

Sorry for the lengthy answer, I wanted to put in a bit of detail :)

但是请随时询问您是否对某些特定部分有疑问.

But feel free to ask if you have questions about some specific parts.

这篇关于在ASP.NET Core 2.0中授权一项应用程序服务与另一项应用程序服务(无用户交互)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！