使用Azure AD令牌通过Azure DevOps进行身份验证 [英] Use Azure AD token to authenticate with Azure DevOps

查看:263
本文介绍了使用Azure AD令牌通过Azure DevOps进行身份验证的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在编写一个Web API.它要做的一件事是使用Team Foundation Core DLL击中Azure DevOps.当我们得到Azure AD(Azure Active Directory)的支持时,我在想我可以使我的应用程序针对Azure AD进行身份验证,并将该令牌/授权用于Azure DevOps.这不是要进行身份验证的唯一服务.我可以这样做吗?我还能通过哪些其他方式实现这一目标?我不想在每次用户访问唯一服务时都提示用户针对Azure AD授权,尤其是因为它们都受到Azure AD的支持.

I'm writing a web API. One of the things it does is hit Azure DevOps using the Team Foundation Core DLLs. As we are backed by Azure AD (Azure Active Directory) I was thinking that I could have my app authenticate against Azure AD and use that token/authorization for Azure DevOps. This isn't the only service that it is going to authenticate with. Can I do this? what other ways can I achieve this goal? I don't want to prompt the user to authorize against Azure AD each time it goes to hit a unique service, especially as they are all backed by Azure AD.

推荐答案

是的,您可以这样做.

注意:我假设您的API受Azure AD保护,并且为了调用您的API,用户需要使用Azure AD登录到API的客户端.

Note: I'm assuming your API is secured by Azure AD, and that in order to call your API, users need to sign in to the client of your API with Azure AD.

假设您希望您的API不仅向Azure DevOps发出请求,而且还向Microsoft Graph发出请求(以由Azure AD保护的另一个API的示例为例,这当然可以是任何其他API,包括第二个API您自己的),并且您希望这些请求代表登录用户.也就是说,代表由API接收的访问令牌中标识的用户.

Let's say you wanted your API to make requests not only to Azure DevOps, but also to Microsoft Graph (to take an example of another API secured by Azure AD--this could of course be any other API, including a second API of your own), and that you wanted those requests to be on behalf of the signed-in user. That is, on behalf of the user who is identified in the access token received by the API.

您可以执行以下操作(如下图):

You could do the following (diagram below):

  1. 用户使用Azure AD登录到客户端应用程序,然后客户端应用程序请求和访问您API的令牌.
  2. 客户端应用程序在发出任何API请求时(例如在Authorization标头中)会向您的API提供此访问令牌,并且您的API会进行所有必要的验证.
  3. 您的API会获取收到的访问令牌,并将其呈现给Azure AD,从显示的访问令牌中代表"已登录用户请求一个 new 访问令牌,但对于不同的资源:Azure DevOps.假定所有正确的权限和同意都已到位,Azure AD会使用Azure DevOps的访问令牌对API进行响应.
  4. 当向Azure DevOps发出请求时,API会显示此访问令牌.
  5. 您的API还希望调用Microsoft Graph(例如,获取有关用户的更多详细信息,或发送电子邮件等),因此API再次进入Azure AD,显示在(2)中收到的访问令牌,向Microsoft Graph请求令牌.如果签出同意和权限,则说明Azure AD符合要求.
  6. 当您向Microsoft Graph发出请求时,您的API使用此第三个访问令牌.
  1. A user signs in with Azure AD to the client application, and the client application requests and access token for your API.
  2. The client app presents this access token to your API when making any API requests (e.g. in the Authorization header), and your API does all the necessary validations.
  3. Your API takes the access token it received, and presents it to Azure AD, requesting a new access token "on behalf of" the signed-in user from the presented access token, but for a different resource: Azure DevOps. Assuming all the right permissions and consent are in place, Azure AD responds to the API with an access token for Azure DevOps.
  4. The API presents this access token when making requests to Azure DevOps.
  5. Your API also wants to call Microsoft Graph (e.g. to get more details about to user, or to send an email or something), so the API again goes to Azure AD, presenting the access token it received in (2), asking for a token to Microsoft Graph. If consent and permissions check out, Azure AD complies.
  6. Your API uses this third access token when making requests to Microsoft Graph.

          +--------+      +-----------+       +-----------------+
(User)+--->        +-(2)-->           +-(4)--->                 |
          | Client |      | Your API  <-------+  Azure DevOps   |
          |        <------+           |       |                 |
          +----^---+      |           +-(6)+  +-----------------+
               | |        |           <--+ |
               | |        +---^----^--+  | |  +-----------------+
               (1)          (3)   (5)    | +-->                 |
               | |           ||   ||     +----+ Microsoft Graph |
               | |        +--v----v--+        | (or other API)  |
               | +-------->          |        |                 |
               |          | Azure AD |        +-----------------+
               +----------+          |
                          +----------+

Azure AD文档中描述了详细的令牌流(对于

The detailed token flow is described in the Azure AD documentation (for both the v1 endpoint and the v2 endpoint).

当然,这里的所有复杂性以及令牌缓存和刷新都应由ADAL或MSAL之类的简单库处理,它们都具有代表流的Wiki页面(与ADAL一起使用与MSAL一起 >).这是ADAL的摘要示例(摘自To

Of course, all the complexities here, as well as token caching and refreshing, should be handled by simple libraries such as ADAL or MSAL, both of which have wiki pages for the on-behalf-of flow (with ADAL, with MSAL). Here's a summarized example of what it looks like with ADAL (taken from the To

// Use ADAL to get a token On Behalf Of the current user.  To do this we will need:
//      The Resource ID of the service we want to call.
//      The current user's access token, from the current request's authorization header.
//      The credentials of this application.
//      The username of the user calling the API
//
string resourceId = "499b84ac-1321-427f-aa17-267ca6975798"; // this is the Azure DevOps app ID
string userName = "...";// get from incoming token
string userAccessToken = "..." // from incoming Authorization header;
UserAssertion userAssertion = new UserAssertion(userAccessToken, "urn:ietf:params:oauth:grant-type:jwt-bearer", userName);
ClientCredential clientCred = new ClientCredential(clientId, appKey);
AuthenticationContext authContext = new AuthenticationContext(authority, tokenCache);

// Now make the on-behalf-of request
result = await authContext.AcquireTokenAsync(resourceId, clientCred, userAssertion);
accessToken = result.AccessToken; // <-- this is a token for Azure DevOps!

这篇关于使用Azure AD令牌通过Azure DevOps进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆