AAD B2C中具有客户端凭据的Azure App Service轻松身份验证授予流程 [英] Azure App Service Easy Auth with Client Credentials Grant flow in AAD B2C

问题描述

是否可以使用内置的身份验证/授权选项保护Azure中的App Service中的Web API，并同时使用OAuth客户端凭据授予流对其进行访问?

Is it possible to secure a Web API in an App Service within Azure, using the built in Authentication/Authorization options and at the same time access it using the OAuth Client Credential Grant flow?

我有一个通过Azure AD B2C进行身份验证的应用程序服务.在该B2C租户中，我已注册了Web应用程序/API，并且可以很好地使用Web应用程序进行身份验证. 我在该AD B2C应用程序的已发布范围"部分中添加了一个范围，并且还为该范围添加了一个应用程序ID URI. 然后，我在租户中创建了另一个应用程序(ClientApp)，以表示我想提供对第一个API的访问权的另一个服务.我为此生成了一个秘密密钥，并且还在"API访问"部分中添加了我在其他应用程序中创建的范围.

I have an app service being authenticated with Azure AD B2C. In that B2C tenant I have the web app/API registered and authentication working fine for using the web app. I added a scope in the Published Scopes section of that AD B2C app and also added an App ID URI for that scope. Then I created another App (ClientApp) in the tenant to represent another service I want to provide access to the first API. I generated a Secret key for it and also in the API access section added the scope I had created in the other app.

然后在邮递员中，我使用下一个

Then in postman I get the token using the next

• 赠款类型:客户凭据
• 访问令牌URL: https://login.microsoftonline .com/mytenantname.onmicrosoft.com/oauth2/v2.0/token (由于某些原因，我必须使用login.microsoftonline，因为b2clogin域对此无效)
• 客户端ID:在为ClientApp注册的应用中显示的ID
• 客户端机密:在ClientApp下生成的机密
• 范围:我添加了Web应用程序注册的App ID URI.

• Grant type: Client credentials
• Access token URL: https://login.microsoftonline.com/mytenantname.onmicrosoft.com/oauth2/v2.0/token (for some reason I have to use login.microsoftonline as the b2clogin domain doesn't work for this)
• Client ID: The ID that appears in the app registered for the ClientApp
• Client secret: The secret generated under the ClientApp
• Scope: the App ID URI I added the the web app registration.

我成功获得了令牌，但是当我尝试通过邮递员使用不记名令牌访问网站时，我只会得到401.

I successfully get the token, but when I try to access the web site using the bearer token with postman, I just get a 401.

推荐答案

我已经花费了数小时来寻找合适的解决方案.

I've spent hours to find a proper solution.

此解决方案: https://stackoverflow.com/a/48657826/11721142 不适用于我的B2C设置(几乎是理想的:)).我必须更改原始文件:

This solution: https://stackoverflow.com/a/48657826/11721142 doesn't work with mine B2C setup (is almost ideal :) ). I had to change original:

"additionalLoginParams": [
  "response_type=code id_token",
  "resource=<AAD-app-id-for-your-webapi-webapp>"
]

收件人:

"additionalLoginParams": [
  "scope="scope=https://xxx.onmicrosoft.com/{Guid}/all+openid+offline_access""
]

哪里

https://xxx.onmicrosoft.com/{Guid}/all是您在B2C API权限中定义的范围标识符

https://xxx.onmicrosoft.com/{Guid}/all is your scope identifier defined in B2C API permisions

然后...最后我可以调用{frontend-app-domain}/.auth/login/aad并...参见:{frontend-app-domain}/.auth/me

Then... finally I can call {frontend-app-domain}/.auth/login/aad and... see: access-token, id-token and refresh-token after {frontend-app-domain}/.auth/me

您还可以提供所需的范围，例如:{frontend-app-domain}/.auth/login/aad?scope=<see scopes above>

You can also provide required scopes like that: {frontend-app-domain}/.auth/login/aad?scope=<see scopes above>

这篇关于AAD B2C中具有客户端凭据的Azure App Service轻松身份验证授予流程的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！