Azure AD B2C ROPC-机密客户端流 [英] Azure AD B2C ROPC - Confidential client flow
问题描述
我正在尝试在b2c中实现自定义ROPC流.这个想法是,受信任的(内部)应用程序无需使用其主密码即可获得用户令牌(用户可能具有多种凭据),而无需使用其他凭据.
我正在
I'm trying to implement a custom ROPC flow in b2c. The idea is that trusted ( internal ) applications can get user tokens without using its primary password ( the user may have several kinds of credentials ), but other credentials.
I'm following the documentation at https://docs.microsoft.com/en-us/azure/active-directory-b2c/ropc-custom?tabs=app-reg-ga , but it clearly states:
机密客户端流:已验证应用程序客户端ID,但未验证应用程序密钥.
Confidential client flow: The application client ID is validated, but the application secret is not validated.
但是,从我的角度来看,这些流仅应由特权客户端使用,因此B2C需要验证client_secret,但这不是一个选择.
But, from my point of view, these flows should only be used by privileged clients, therefore B2C needs to validate the client_secret, but this is not an option.
是否有解决方法,也许可以在自定义策略定义中使用某些参数?
Is there a workaround for that, maybe some parameter that I can use in my custom policy definition?
我知道可以使用非ROPC流程来实现,但是某些应用程序无法将用户重定向到网页(例如TV App).
I know that this can be implemented using non ROPC flows, but some applications don't have a way to redirect the user to a web page ( like a TV App ).
推荐答案
使用Azure广告客户端凭据流,它也适用于B2C租户.如果必须与用户保持一致,请为每个用户设置一个应用程序注册表.
Use azure ad client credential flow, it works in B2C tenants too. If it must align to users, have a app reg for each user.
将AAD B2C端点用于ROPC策略时,服务器端ROPC将受到限制.
Server side ROPC will get throttled when using AAD B2C endpoint for ROPC policies.
https://docs.microsoft.com/zh-CN/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
这篇关于Azure AD B2C ROPC-机密客户端流的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
