使用Azure AD/B2C用户的安全API [英] Secure API with Azure AD/B2C users
问题描述
我的用例是:
- 通过具有自定义字段,使用任何电子邮件地址的指定密码的API创建用户
- 通过API更新/禁用这些用户
- 通过REST API使用用户详细信息登录" Azure AD应用以获取令牌
- 当令牌在Http标头中传递时,向Web API发出授权请求
是否可以使用直接的Azure AD/B2C来实现所有这些功能,或者我应该考虑使用其他身份提供者,例如IdentityServer/Auth0?
Can all of this be achieved with straight Azure AD/B2C or should I be looking at some other identity provider e.g. IdentityServer/Auth0?
编辑1
我对AAD应用程序/用户和B2C应用程序/用户感到非常困惑,在这种情况下使用什么方法的指导很少.
I'm getting very confused between AAD apps/users and B2C apps/users, there is very little guidance on what to use in this case.
使用 https ://docs.microsoft.com/zh-cn/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet 作为起点,在插入客户端时,我得到以下结果身份和秘密来源:
Using https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet as a starting point I get the following results when plugging in the client id and secret from:
- Azure AD-应用程序类型Web应用程序/Api-可以创建用户
- Azure AD-本机应用程序类型-不起作用,无法创建用户
- Azure B2C(按链接在Powershell中创建的应用程序)可以工作,可以创建用户,但是我在Azure门户中看不到新创建的应用程序,也无法进行更改.
- Azure B2C-在B2C UI中创建的应用程序-不起作用,对Graph Api的请求因权限不足"而失败.我在Powershell中手动添加了读/写权限,但这没有用.
目前,我不知道哪种方法适合我的情况.
At this point I don't know what is the correct approach for my scenario.
推荐答案
如果要在Azure AD B2C中添加本地帐户,则可以使用Azure AD Graph API来实现,将本地帐户用户添加到Azure Active中目录B2C租户,请参阅创建用户(本地帐户) api文件.
If you want to add local accounts in Azure AD B2C , you could use Azure AD Graph API to achieve that , to add a local account user to an Azure Active Directory B2C tenant, see Create a user (local account) api document .
如果要添加Facebook和Google之类的社交帐户,则需要检查这些身份是否提供了REST API来管理其用户.
If you want to add social accounts such as Facebook and Google , you need to check whether these identity provides provide the REST APIs to manage their users.
修改
要连接到Graph API,当前,您需要在Azure AD中设置另一个应用程序(不在azure ad b2c刀片服务器中):
For connecting to the Graph API, currently you need to setup another app in Azure AD(not in azure ad b2c blade) :
在该应用中,您可以设置应用密钥并授予使用Azure AD Graph API的权限.另一种方法是使用powershell服务主体并附加3个Graph API权限:
In that app you could set app key and grant permissions to use the Azure AD Graph API .Another way is using powershell service principal and attach the 3 Graph API permissions:
用户登录B2C应用后,调用图形api时,可以使用ADAL v2或v3来获取可与Azure AD Graph API一起使用的访问令牌(使用客户端凭据流).请参考上面链接中的代码示例.
After user sign in the B2C app , when calling the graph api , you could use ADAL v2 or v3 in order to get access tokens which can be used with the Azure AD Graph API(using client credential flow). Please refer to code sample in above link .
如果您想限制可以使用Graph API创建用户的用户,则可以在应用程序中编写自己的逻辑来控制它.
If you want to restrict uses who can create users with Graph api , you could write your own logic in app to control that .
更新:
B2C应用程序(在b2c刀片中创建)可以帮助您登录和注册用户,但是B2C应用程序当前无法访问API(处于预览状态,但无法在我的门户网站中选择任何api),因此,您需要使用AD应用程序(在azure广告刀片中),该应用程序可以授予访问其他API(例如Microsoft Graph API)的权限.遵循链接时: https://docs.microsoft.com/zh-cn/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet ,在文章中他创建了ServicePrincipal而不是app,所以您找不到应用程序,请单击此处有关Azure Active Directory中应用程序和服务主体对象的更多详细信息
B2C app(which create in b2c blade) could help you sign-in and sign-up users , but B2C app can't access the APIs currently(in preview , but can't select any api in my portal) , so you need to use a AD app(in azure ad blade) , which could grant permission to access other APIs like Microsoft Graph API. When follow link :https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet ,in article he creates a ServicePrincipal not a app , so you couldn't find the app , Please click here for more details about Application and service principal objects in Azure Active Directory
这篇关于使用Azure AD/B2C用户的安全API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
