Azure AD将多个应用程序连接到单个Web API [英] Azure AD connect multiple apps to single Web API
问题描述
我有一个使用asp.net核心编写的Web API.此API将用于与在AAD中注册的其他几个服务进行通信,所有这些服务都可以使用不同的技术来完成,例如以asp.net核心编写的MVC应用程序或以Vue.JS编写的单页应用程序.后者给我带来了问题,因为SPA不会由应用程序Web服务器运行,而是像nginx或apache之类的东西,因此将无法使用客户端密码.
I have a Web API written using asp.net core. This API will be used to communicate with several other services registered in AAD, which all could be made using different technologies like an MVC application written in asp.net core or a single page application written in Vue.JS. The latter is causing me issues as the SPA won't be run by an application web server and rather something like nginx or apache and therefor won't be able to use a client secret.
我已将我的API的API权限添加到了我的应用程序中.
I have added API permissions for my API to my apps.
我将如何实现?我目前正在使用Authorization: Bearer access_token标头从客户端应用程序向API发送访问令牌,但是由于客户端应用程序和API在AAD中不是同一应用程序,因此会引起问题.
How would I achieve this? I'm currently sending an access token using the Authorization: Bearer access_token header from the client app to the API, but since the client app and the API aren't the same app in the AAD, it's causing issues.
这是我要实现的流程:
Here's the flow I'm trying to achieve:
所有请求的应用程序都要求您登录AAD,并且从API请求数据时,它们会发送JWT令牌,该令牌应在将请求的资源返回给客户端应用程序之前验证令牌.
All of the requested apps require you to login to the AAD and when requesting data from the API, they'll send the JWT token, which then should validate the token before returning the requested resource back to the client application.
推荐答案
似乎您误会了一些东西.您可以将每个客户端注册为Azure AD中的独立应用程序,并为Web api分配访问权限.
It seems you misunderstand something . You can register your each client as independent application in Azure AD , and assign access permission for your web api .
后者会导致我遇到问题,因为SPA不会由应用程序Web服务器运行,而是像nginx或apache之类的东西,因此将无法使用客户端密码.
The latter is causing me issues as the SPA won't be run by an application web server and rather something like nginx or apache and therefor won't be able to use a client secret.
SPA应用程序使用隐式授权流,因此在获取令牌时不需要客户端秘密.SPA可以是独立的应用程序,在通过AAD进行身份验证时应提供客户端ID.获取访问令牌后,您可以使用Authorization: Bearer access_token header创建用于访问Web api的http请求.
SPA application use Implicit grant flow , so that it doesn't need the client secret when acquiring token .SPA could be independent app , you should provide client id when making authentication with AAD. After getting access token , you could create http request with Authorization: Bearer access_tokenheader for accessing your web api .
每个客户端(web/spa/native)将获取用于访问Web api的访问令牌.在Web API方面,您只需要验证令牌即可.验证声明(签发人,听众)和签名.
Each client(web/spa/native) will acquire access token for accessing web api . On web api side , you just need to validate the token .Validate the claims(issuer,audience) and signature .
这篇关于Azure AD将多个应用程序连接到单个Web API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
