使用客户端凭证流的Azure AD添加应用程序编程 [英] Adding Applications programmatically in Azure AD using Client Credentials Flow
问题描述
对于在Azure API管理使用,我想为应用添加到Azure中的Active Directory(AAD)编程,在我的情况,通过使用图形API。
For use with the Azure API Management, I am trying to add Applications to an Azure Active Directory (AAD) programmatically, in my case by using the Graph API.
我的情况是这样的:为了保护Web API,我想与Azure的API管理来管理,我想利用反倾销协定的OAuth功能做关于认证和颁发JWT令牌繁重,然后只使用验证验证一切-jwt政策在Azure中的API管理好。这具有以下优点,我可以或多或少在我的后端服务省略认证
My scenario is the following: In order to secure a Web API I want to manage with Azure API Management, I want to leverage AAD's OAuth functionality to do the heavy lifting regarding authentication and issuing JWT Tokens, and then just use the validate-jwt policy to verify everything is okay in Azure API Management. This has the advantage I can more or less omit authentication in my backend service.
这工作得很好,只要我创造了在消费Web应用程序在Azure AD的应用程序,但是这必须从在Azure门户手动完成; Azure的APIM不会自动做。
This works fine, as long as I have created an application in the Azure AD for the consuming web application, but this has to be done manually from the Azure Portal; Azure APIm does not do it automatically.
现在什么我试图做的就是自动完成:我想委托订阅的API在APIM一些其他的web应用程序我写,并从那里我想利用图形API来创建应用程序在Azure的AD和授予权限的API的应用。
Now for what I am trying to do to get the done automatically: I wanted to delegate the subscription to APIs in APIm to some other web app I am writing, and from there I want to leverage the Graph API to create an Application in the Azure AD and grant permissions to the Application of the API.
我试图做的第一件事情是有一个第三次申请(我的业务应用)有完整的应用程序权限在Azure的AD在Windows Azure Active Directory应用程序;这让使用图形REST API我的应用程序访问AAD。我管理使用client_credentials补助(从login.microsoft.com)来获得访问令牌,但该令牌并不让我做了 POST 在 https://graph.windows.net/(my AAD ID)/applications?api-version=1.5 :
The first thing I tried to do was to have a third application (my service application) to have full application permissions to the Windows Azure Active Directory application in the Azure AD; this lets my application access AAD using the Graph REST API. I manage to get an Access Token using the client_credentials grant (from login.microsoft.com), but this Token does not let me do a POST on https://graph.windows.net/(my AAD ID)/applications?api-version=1.5:
{
"odata.error": {
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
}
}
}
我发现(<一个href=\"https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes\">https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes)即使我授予 Directory.ReadWrite.All 许可,应用程序(APP-只),将无法创建或更新应用程序:
I found (https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes) that even if I grant the Directory.ReadWrite.All permission, the application (app-only) will not be able to create or update Applications:
注意:明确排除创建或更新以上未列出的实体。
这包括:应用程序,Oauth2PermissionGrant,AppRoleAssignment,设备,
ServicePrincipal,TenantDetail,域等。
Note: Specifically excludes create or update for entities not listed above. This includes: Application, Oauth2PermissionGrant, AppRoleAssignment, Device, ServicePrincipal, TenantDetail, domains, etc.
我试过了资源所有者密码格兰特( grant_type =密码),另外通过我自己的证书,这样我就可以在图形API在冒充自己接下来的事情。现在,我的 POST 到应用终点成功。
The next thing I tried was the Resource Owner Password Grant (grant_type=password), passing my own credentials additionally, so that I can impersonate myself in the Graph API. Now, my POST to the applications end point succeeds.
我的自下而上的对线问题是:我可以授予足够的权限来我的应用程序,这样我可以以编程方式使用客户端凭据流添加应用程序,而不是作用于代表用户的流量?如果是这样,它怎么办?
My bottom-of-the-line question is: Can I grant sufficient permissions to my application so that I can add applications programmatically using the client credentials flow, and not any flow which acts on behalf of a user? And if so, how is it done?
推荐答案
对不起唐。我们目前还没有客户端的凭证流(应用程序只),可用于创建应用程序或服务主体,或者创建任何的oauth2权限授予(或任何你通过目录上面提到的其他实体的许可范围。 ReadWrite.All权限)。我们正在努力额外的唯一的应用程序的权限,使您点亮这个场景,但我没有埃塔,我可以给你。
Sorry Don. We don't currently have any permission scopes for the client credential flow (app-only) that can be used to create applications or service principals or create any oauth2 permission grants (or any of the other entities that you mentioned above through the Directory.ReadWrite.All permission). We are working on additional app-only permissions that will enable you to light up this scenario, but I don't have an ETA that I can give you.
此操作的应的,如果你使用的应用程序+用户(code流量),并授予应用程序的权限Directory.AccessAsUser.All可能 - 只要有一个用户使用应用程序,他们是租户管理。不知道这是你的一个行之有效的解决方法(我猜是类似于您正在使用的密码流使用的是什么 - 但我会建议你使用code这里流)。
This operation should be possible if you use the app+user (code flow) and grant the app the Directory.AccessAsUser.All permission - as long as there is a user using your app AND that they are a tenant admin. Not sure if this is an acceptable workaround for you (and I guess is similar to what you are using with the password flow - although I would recommend you use the code flow here).
希望这有助于
这篇关于使用客户端凭证流的Azure AD添加应用程序编程的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
