Azure B2C一次性访问受保护的API [英] Azure B2C One time access to secured API

问题描述

我在azure上有一个Web应用程序(REST API)，并且我有一个B2C设置来保护它的安全，要求您登录才能访问API.很好，因为我希望将API限制为成员.基本上，整个Web应用程序都需要身份验证，并会提示您登录.<​​/p>

这里有问题-我的应用有用户(有帐户)和客户(没有帐户).这些客户可能会收到一封电子邮件，其中涉及与一位用户建立的新约会-该电子邮件应具有一个或多个链接/按钮(即，一个按钮以确认约会，一个按钮为拒绝"，一个按钮为请求重新安排)，以及单击此链接后，我想通过rest api更新数据库中的字段，以便用户知道客户端的响应.麻烦在于，由于客户没有帐户，因此我不知道如何为他们提供允许他们访问并进行更新的链接.

我试图做大量研究-我用一次密码检查了AD的外部身份-但我似乎找不到任何有关如何实际使之达到我的目的的信息.

有人知道我怎么能天蓝色地实现这一点吗?有没有一种方法可以调用azure形式的c#生成一次身份验证，我可以将其编码为URL或其他内容?

任何想法都将不胜感激.

谢谢！

解决方案

您可以使用魔术链接进行匿名身份验证.用户帐户甚至不需要驻留在目录中.该链接可能寿命很短，并且可能只使用一次.我们称其为id_token_hint或魔术链接.

这里的样品 https://github.com/azure-ad-b2c/样本/树/主/政策/邀请

并在这里参考 https://docs.microsoft.com/zh-cn/azure/active-directory-b2c/id-token-hint

I have a web app (rest API) on azure, and I have a B2C setup that is securing it, requiring you to be signed in to access the API. This is good, as i wanted the API to be restricted to members. Basically, the entire web app requires authentication, and will prompt you for a sign in.

Heres the problem - my app has users (who have accounts) and clients (who do not have accounts). These clients might receive an email about a new appointment being set up with one of the users - this email should have one or more links/buttons (ie, a button to Confirm appointment, one to Decline, and one to request a reschdeule) and upon clicking this link I would like to update a field in my database via the rest api, so the USER knows the CLIENT's response. The trouble is, since the client wont have an account, I have no idea how I can give them a link they would be allowed to go to, and have the update happen.

I have tried to do a bunch of research - ive looked into AD external identities with a one time passcode - but i cant seem to find any info on how i would actually get this to work for my purposes.

Does anyone know how I might implement this in azure? Is there a way to call to azure form c# to generate a one time authentication that i can encode into a URL or something?

Any thoughts would be greatly appreciated.

Thanks!

解决方案

You could do an anonymous authentication by using a magic link. The users account won’t even need to live in the directory. The link can be short lived, and potentially one time use. We call it id_token_hint or a magic link.

Sample here https://github.com/azure-ad-b2c/samples/tree/master/policies/invite

And reference here https://docs.microsoft.com/en-us/azure/active-directory-b2c/id-token-hint

这篇关于Azure B2C一次性访问受保护的API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！