使用Adal代表用户访问Azure KeyVault [英] Using Adal for accessing the Azure KeyVault on behalf of a user

问题描述

以下是在控制台应用程序和ClientID中，RedirectUri来自在Azure活动目录中创建的本机应用程序.

The following is in a console application and ClientID, RedirectUri is from the created native app in azure active directory.

var authContext = new AuthenticationContext(string.Format("https://login.windows.net/{0}","common"),new FileCache());
var token = authContext.AcquireToken("https://management.core.windows.net/", ClientID, RedirectUri, PromptBehavior.Auto);

我现在有了与管理api对话的令牌.

I now have the token for talking with management api.

 using (var client = new KeyVaultManagementClient(new TokenCloudCredentials(SubscriptionId, token.AccessToken)))
 {
     var a = client.Vaults.List(resourceGroup, 10);
     foreach(var vault in a.Vaults)
     {
           var vaultInfo = client.Vaults.Get(resourceGroup, vault.Name);
           Console.WriteLine(JsonConvert.SerializeObject(vaultInfo.Vault, Formatting.Indented));
           //Verifying that the AccessPolicies contains my object id (pasting idtoken into jwt.io and compare with oid claim) Success.

           // Now its time to talk with keyvault
           var keyvault = new KeyVaultClient(GetAccessTokenAsync);
           var secrets = keyvault.GetSecretsAsync(vaultInfo.Vault.Properties.VaultUri).GetAwaiter().GetResult();

     }

 }


 private static Task<string> GetAccessTokenAsync(string authority, string resource, string scope)
 {
         var context = new AuthenticationContext(authority, new FileCache());
        var result = context.AcquireToken(resource, new ClientCredential(AppClientId,AppKey));

        return Task.FromResult(result.AccessToken);

 }

以上工作原理，但要求我在我的广告上创建一个单独的应用程序，该应用程序可以与Keyvault进行通信.我想使用自己的ID与keyvault进行通信，但是我无法弄清楚如何获取keyvault客户端所需的访问令牌.

Above works but require me to create a separate app on my AD that can talk with the keyvault. I would like to use my own ID to talk with keyvault, but I cant figure out how to get the access token that the keyvault client require.

我是否需要更新Azure Manuel上的清单，并补充说允许我的控制台应用程序代表用户将令牌获得密钥保险库? 需要在GetAccessTokenAsync中更改哪些代码才能使其正常工作.

Do i need to update the manifest on azure manuel and adding that my console app is allowed to get a token on behalf of users to keyvault? What code is needed to be changed in GetAccessTokenAsync to make it work.

我尝试从公共端点的初始令牌请求中仅给它访问或ID令牌.有人对我自己的ID(而不是应用程序)与Azure密钥库进行对话有任何建议吗?

I have tried giving it just the access or id tokens from the initial token request from the common endpoint. Do anyone have some suggestions on how to talk to azure key vault on behalf of my own id and not an app?

因此，在查看标头时，我发现我的令牌缺少作为资源的vault.azure.net，因此尝试:

So looking at headers i found out my token was missing vault.azure.net as resource and therefore trying:

var testtoken = authContext.AcquireToken("https://vault.azure.net", ClientID, RedirectUri);

出现以下错误:

AADSTS65005:客户端应用程序已请求访问资源 ' https://vault.azure.net ".该请求失败，因为客户端 尚未在其requiredResourceAccess列表中指定此资源.

AADSTS65005: The client application has requested access to resource 'https://vault.azure.net'. This request has failed because the client has not specified this resource in its requiredResourceAccess list.

并查看当前清单:

"requiredResourceAccess": [
    {
      "resourceAppId": "797f4846-ba00-4fd7-ba43-dac1f8f63013",
      "resourceAccess": [
        {
          "id": "41094075-9dad-400e-a0bd-54e686782033",
          "type": "Scope"
        }
      ]
    },
    {
      "resourceAppId": "00000002-0000-0000-c000-000000000000",
      "resourceAccess": [
        {
          "id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
          "type": "Scope"
        }
      ]
    }
  ],

我如何知道用于密钥库的作用域和resourceAppId的指南?

How do i know what guids to use for scope and resourceAppId for the keyvault?

在我知道如何获取resourceAppId和相关信息之前，我正在使用模仿Powershell工具的旧技巧.

Until i know how to get the resourceAppId and related information I am using the old trick of impersonating the powershell tools.

 var vaultToken = authContext.AcquireToken("https://vault.azure.net", "1950a258-227b-4e31-a9cf-717495945fc2", new Uri("urn:ietf:wg:oauth:2.0:oob"));
 var keyvault = new KeyVaultClient((_, b, c) => Task.FromResult(vaultToken.AccessToken));    
 var secrets = keyvault.GetSecretsAsync(vaultInfo.Vault.Properties.VaultUri).GetAwaiter().GetResult();

来源: http://www.s-innovations.net/Blog/2014/02/12/Controlling-the-login-flow-when-using-ADAL-for-WAML 在使用powershells clientid之前，还请阅读博客文章中的@bradygaster评论.

source: http://www.s-innovations.net/Blog/2014/02/12/Controlling-the-login-flow-when-using-ADAL-for-WAML Please also read @bradygaster comment at the blog post before using the powershells clientid.

推荐答案

您在正确的轨道上！您需要配置AAD，以便能够专门授权用户访问KeyVault.尝试将以下内容添加到清单中.

You're on the right track! You need to configure AAD to be able to authorize users specifically for access to KeyVault. Try adding the following to your manifest.

{
      "resourceAppId": "cfa8b339-82a2-471a-a3c9-0fc0be7a4093",
      "resourceAccess": [
        {
          "id": "f53da476-18e3-4152-8e01-aec403e6edc0",
          "type": "Scope"
        }
      ]
}

如果这行不通，您可以通过访问旧门户 ，导航到AAD，您的AAD租户，您的应用程序，然后在配置"标签的其他应用程序的权限"部分下添加"Azure Key Vault".

If that doesn't work, you can do this the old-fashioned way by visiting the old portal, navigating to AAD, your AAD Tenant, your application, and adding "Azure Key Vault" under the "permissions to other applications" section of the "Configure" tab.

这篇关于使用Adal代表用户访问Azure KeyVault的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！