Azure B2C一次性访问受保护的API [英] Azure B2C One time access to secured API
问题描述
我在azure上有一个Web应用程序(REST API),并且我有一个B2C设置来保护它的安全,要求您登录才能访问API.很好,因为我希望将API限制为成员.基本上,整个Web应用程序都需要身份验证,并会提示您登录.</p>
这里有问题-我的应用有用户(有帐户)和客户(没有帐户).这些客户可能会收到一封电子邮件,其中涉及与一位用户建立的新约会-该电子邮件应具有一个或多个链接/按钮(即,一个按钮以确认约会,一个按钮为拒绝",一个按钮为请求重新安排),以及单击此链接后,我想通过rest api更新数据库中的字段,以便用户知道客户端的响应.麻烦在于,由于客户没有帐户,因此我不知道如何为他们提供允许他们访问并进行更新的链接.
我试图做大量研究-我用一次密码检查了AD的外部身份-但我似乎找不到任何有关如何实际使之达到我的目的的信息.
有人知道我怎么能天蓝色地实现这一点吗?有没有一种方法可以调用azure形式的c#生成一次身份验证,我可以将其编码为URL或其他内容?
任何想法都将不胜感激.
谢谢!
您可以使用魔术链接进行匿名身份验证.用户帐户甚至不需要驻留在目录中.该链接可能寿命很短,并且可能只使用一次.我们称其为id_token_hint或魔术链接.
这里的样品 https://github.com/azure-ad-b2c/样本/树/主/政策/邀请
并在这里参考 https://docs.microsoft.com/zh-cn/azure/active-directory-b2c/id-token-hint
I have a web app (rest API) on azure, and I have a B2C setup that is securing it, requiring you to be signed in to access the API. This is good, as i wanted the API to be restricted to members. Basically, the entire web app requires authentication, and will prompt you for a sign in.
Heres the problem - my app has users (who have accounts) and clients (who do not have accounts). These clients might receive an email about a new appointment being set up with one of the users - this email should have one or more links/buttons (ie, a button to Confirm appointment, one to Decline, and one to request a reschdeule) and upon clicking this link I would like to update a field in my database via the rest api, so the USER knows the CLIENT's response. The trouble is, since the client wont have an account, I have no idea how I can give them a link they would be allowed to go to, and have the update happen.
I have tried to do a bunch of research - ive looked into AD external identities with a one time passcode - but i cant seem to find any info on how i would actually get this to work for my purposes.
Does anyone know how I might implement this in azure? Is there a way to call to azure form c# to generate a one time authentication that i can encode into a URL or something?
Any thoughts would be greatly appreciated.
Thanks!
You could do an anonymous authentication by using a magic link. The users account won’t even need to live in the directory. The link can be short lived, and potentially one time use. We call it id_token_hint or a magic link.
Sample here https://github.com/azure-ad-b2c/samples/tree/master/policies/invite
And reference here https://docs.microsoft.com/en-us/azure/active-directory-b2c/id-token-hint
这篇关于Azure B2C一次性访问受保护的API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!