Azure B2C客户端凭据授予 [英] Azure B2C client credentials grant
问题描述
我已经为用户登录/注销实现了Azure B2C,并且可以获取id_token并将其传递给我的Web API进行授权,所有操作都很好. 现在,我有一些Web API方法,只能由客户端Web应用程序(ASP.NET 4.6)访问,这意味着OAuth 2.0客户端凭据授予".我已经做了很多研究,而我能找到的最接近的是
I’ve implemented Azure B2C for user login/logout and can get the id_token and pass it to my web API for authorization, all works well. Now, I have some Web API methods that should be only accessed by the client web application (ASP.NET 4.6) which means OAuth 2.0 "client credentials grant". I’ve done a lot of research and the closest I could find is this quick-start which uses ADAL in a B2C application to call Graph API.
我一直遵循并达到了要获取客户端访问令牌的地步,如下面的代码所示.但是,无论我作为资源传递给 AcquireToken 方法的什么,我都会不断收到一个错误,即我传递的应用程序名称在租户中不存在. 我实际上不确定应该通过什么,因为在B2C领域中,您没有将Web API注册为应用程序,而是为所有应用程序拥有一个应用程序ID.
I followed along and got to the point where I’m trying to get the client access token as in the below code. However, no matter what I pass to the AcquireToken method as the resource I keep getting an error that the application name I’m passing doesn’t exist in the tenant. I’m actually not sure what should I pass, since in the B2C world you do not register your Web API as an application but rather you have one application ID for all your Apps.
是否支持上述方案,我该怎么办?
Is the above scenario supported, and how can I do it?
public async Task<string> SendGraphGetRequest(string api, string query)
{
// First, use ADAL to acquire a token by using the app's identity (the credential)
// The first parameter is the resource we want an access_token for; in this case, the Graph API.
//*** In my case I want to replace the graph API URL with my own WebAPI
AuthenticationResult result = authContext.AcquireToken("https://graph.windows.net", credential);
推荐答案
See this link that describes the Azure Active Directory B2C limitations. The quick-start you referenced is using the client credentials grant, which is not yet supported in Azure AD B2C.
在后台驻留程序/服务器端应用程序部分中,内容为:
包含长时间运行的进程或在没有用户在场的情况下运行的应用程序,还需要一种访问安全资源(如Web API)的方法.这些应用程序可以通过使用应用程序的身份进行身份验证和获取令牌(而不是OAuth 2.0客户端凭据流中的用户委托身份).该流在Azure AD B2C中尚不可用,因此,目前,应用程序只有在发生交互式用户登录流之后才能获得令牌."
"Applications that contain long-running processes or that operate without the presence of a user also need a way to access secured resources, such as Web APIs. These applications can authenticate and get tokens by using the application's identity (rather than a consumer's delegated identity) in the OAuth 2.0 client credentials flow. This flow is not yet available in Azure AD B2C, so for now, applications can get tokens only after an interactive consumer sign-in flow has occurred."
我相信此功能(oauth客户端凭据授予类型支持)已在B2C路线图上,并且在发布时,该快速入门中的步骤应该可以正常工作.
I believe this feature (oauth client credentials grant type support) is on the B2C roadmap and when it is released, the steps in that quick start should work.
这篇关于Azure B2C客户端凭据授予的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
