Azure AD/B2C 用户的安全 API [英] Secure API with Azure AD/B2C users
问题描述
我的用例是:
- 通过带有自定义字段的 API 创建用户,使用任何电子邮件地址指定密码
- 通过 API 更新/禁用这些用户
- 使用用户详细信息通过 rest API登录"到 Azure AD 应用以获取令牌
- 在 Http 标头中传递令牌时向 Web API 发出授权请求
所有这些都可以通过直接的 Azure AD/B2C 来实现,还是我应该寻找其他一些身份提供商,例如IdentityServer/Auth0?
编辑 1
我对 AAD 应用/用户和 B2C 应用/用户感到非常困惑,关于在这种情况下使用什么的指导很少.
使用 在该应用程序中,您可以设置应用程序密钥并授予使用 Azure AD Graph API 的权限.另一种方法是使用 powershell 服务主体并附加 3 Graph API 权限:
用户登录 B2C 应用后,调用图形 API 时,您可以使用 ADAL v2 或 v3 来获取可与 Azure AD 图形 API 一起使用的访问令牌(使用客户端凭据流).请参考上面链接中的代码示例.
如果您想限制可以使用 Graph api 创建用户的用户,您可以在应用程序中编写自己的逻辑来控制它.
更新:
B2C 应用程序(在 b2c 刀片中创建)可以帮助您登录和注册用户,但 B2C 应用程序当前无法访问 API(预览中,但无法在我的门户中选择任何 API),因此您需要使用 AD 应用程序(在 azure adblade 中),它可以授予访问其他 API(如 Microsoft Graph API)的权限.当点击链接时:https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet ,在文章中他创建了 ServicePrincipal 而不是应用程序,所以你找不到应用程序,请单击 此处了解有关 Azure Active Directory 中的应用程序和服务主体对象的更多详细信息
My use case is:
- Create users via API with custom fields, nominated password using any email address
- Update/disable those users via API
- 'Sign in' to Azure AD app with user details via rest API to obtain token
- Make authorised requests to Web API when token passed in Http header
Can all of this be achieved with straight Azure AD/B2C or should I be looking at some other identity provider e.g. IdentityServer/Auth0?
Edit 1
I'm getting very confused between AAD apps/users and B2C apps/users, there is very little guidance on what to use in this case.
Using https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet as a starting point I get the following results when plugging in the client id and secret from:
- Azure AD - Application Type Web app/ Api - works, can create user
- Azure AD - Application Type Native - does not work, cannot create user
- Azure B2C - Application created in Powershell as per link - works, can create user, however I can't see the newly created application in the Azure Portal, and can't make changes.
- Azure B2C - Application created in B2C UI - does not work, request to Graph Api fails with 'insufficient permissions'. I added the read/write permissions manually in Powershell but this did not work.
At this point I don't know what is the correct approach for my scenario.
If you want to add local accounts in Azure AD B2C , you could use Azure AD Graph API to achieve that , to add a local account user to an Azure Active Directory B2C tenant, see Create a user (local account) api document .
If you want to add social accounts such as Facebook and Google , you need to check whether these identity provides provide the REST APIs to manage their users.
Edit
For connecting to the Graph API, currently you need to setup another app in Azure AD(not in azure ad b2c blade) :
In that app you could set app key and grant permissions to use the Azure AD Graph API .Another way is using powershell service principal and attach the 3 Graph API permissions:
After user sign in the B2C app , when calling the graph api , you could use ADAL v2 or v3 in order to get access tokens which can be used with the Azure AD Graph API(using client credential flow). Please refer to code sample in above link .
If you want to restrict uses who can create users with Graph api , you could write your own logic in app to control that .
Update :
B2C app(which create in b2c blade) could help you sign-in and sign-up users , but B2C app can't access the APIs currently(in preview , but can't select any api in my portal) , so you need to use a AD app(in azure ad blade) , which could grant permission to access other APIs like Microsoft Graph API. When follow link :https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet ,in article he creates a ServicePrincipal not a app , so you couldn't find the app , Please click here for more details about Application and service principal objects in Azure Active Directory
这篇关于Azure AD/B2C 用户的安全 API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
