在Azure AD中配置应用程序权限 [英] Configure Application Permissions in Azure AD
问题描述
我有一个Web API,该Web API在Azure AD中注册,并使用WindowsAzureActiveDirectoryBearerAuthentication(OAuth2承载令牌)保护.这是B2B类型的场景,其中没有交互用户-调用API的应用程序是类似于守护程序的后台应用程序.因此,我不需要任何同意经验-我只希望受信任的应用程序能够调用该API,而其他应用程序(即使它们提供了有效的OAuth令牌)也可以被拒绝.
I have a Web API registered in Azure AD and secured using WindowsAzureActiveDirectoryBearerAuthentication (OAuth2 bearer token). This is a B2B-type scenario where there are no interactive users - the applications calling the API are daemon-like background apps. As such, I don't need any consent experience - I just want trusted applications to be able to call the API, and other applications - even if they present a valid OAuth token - to be denied.
此示例似乎几乎完全描述了我的情况.但是,确定调用者是否为受信任应用程序的方法是将调用者通过声明提出的clientID与硬编码值进行比较.显然,您可以在外部存储受信任的clientID的列表,而不是进行硬编码,但是看来我应该能够通过AAD门户中的配置来完成此操作,这样a)我不必维护clientID的列表,并且b)我不必编写自己的授权逻辑.
This sample seemed to describe my scenario almost exactly. However, the way it determines if a caller is a trusted app or not is by comparing the clientID presented via a claim by the caller to a hard-coded value. Obviously you could store the list of trusted clientIDs externally instead of hardcoding, but it seems like I should be able to accomplish this via configuration in the AAD portal so that a) I don't have to maintain a list of clientIDs, and b) I don't have to write my own authorization logic.
似乎我应该能够为我的API定义一个权限,将该权限授予AAD中的每个调用应用程序(或一次性管理员同意),然后在我的API中只需检查该权限是否存在在scp声明中.
It seems like I should be able to define a permission for my API, grant that permission to each calling app in AAD (or a one-time admin consent), and then in my API just check for the presence of that permission in the scp claim.
通过查看门户网站,看来这是应用程序权限"的目的:
From looking at the portal it seems like this is what Application Permissions are intended for:
我可以通过应用程序清单创建权限.不幸的是,我不知道如何指定它是应用程序权限,而不是委派权限!我尝试按照 MSDN ,但这似乎没有效果.
I can create a permission just fine via the application manifest. Unfortunately, I can't figure out how to specify that it's an Application Permission, not a Delegated Permission! I tried changing the type from User to Admin as described on MSDN, but that seemed to have no effect.
"oauth2Permissions": [
{
...
"type": "Admin",
...
}
问题
我是否纠正应用程序权限是适合我的方案的最佳解决方案?如果是这样,我该如何配置?或者,正如我担心的那样,这是On The Roadmap™上的又一个功能吗?
Question
Am I correct that Application Permissions are the best solution for my scenario? If so, how do I configure it? Or, as I fear, is this yet another feature that is On The Roadmap™ but not currently functional?
推荐答案
Ben,应用程序权限在清单的appRoles部分中声明.确实,如果您在资源应用程序的(存储代理程序演示)清单中声明一个名为"trusted"的appRole-它会显示在此处的应用程序权限"下拉列表中.然后,当您将该应用程序权限分配给客户端应用程序时-客户端应用程序将使用客户端凭据收到的访问令牌OAuth流将包含值为"trusted"的角色声明.租户中的其他应用程序也将能够为您的资源应用程序获取访问令牌-但它们不会具有受信任"角色声明.有关详细信息,请参见此博客文章:
Ben, Application Permissions are declared in the appRoles section of the manifest. Indeed, if you declare an appRole called say 'trusted' in your resource application's (storage broker demo) manifest - it will show up in the Application Permissions drop down there. Then, when you assign that Application Permission to the client app - the access token that the client app will receive using the client credentials OAuth flow will contain a roles claim with value 'trusted'. Other apps in the tenant will also be able to get an access token for your resource app - but they wont have the 'trusted' roles claim. See this blog post for details: http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/
最后,只有当资源和客户端应用程序都在同一目录中声明时,上述将应用程序权限分配给客户端应用程序的方法才有效-如果这些应用程序是多租户的,并且客户将单独安装这些应用程序-来自客户目录的全球管理员将需要同意客户端应用程序-这将导致将应用程序权限分配给客户租户中的客户端应用程序实例. (我的博客文章也介绍了这一点)
Finally, the above way to assign an application permission to a client app only works when both the resource and client application are declared in the same directory - if however these apps are multi-tenant and a customer will install these apps separately - a global admin from customer's directory will need to consent to the client app - which will result in the application permission getting assigned to the instance of client app in the customer's tenant. (my blog post covers this too)
希望这会有所帮助.
ps:如果您遇到问题,请随时在 http://www的联系页面上对我执行ping操作. dushyantgill.com/blog
ps: if you're stuck - feel free to ping me on the contact page of http://www.dushyantgill.com/blog
这篇关于在Azure AD中配置应用程序权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
