使用 Azure AD B2C 作为服务进行身份验证 [英] Authenticating as a Service with Azure AD B2C
问题描述
我们已经使用 Azure AD B2C 和 OAuth 设置了我们的应用程序,这工作正常,但是我正在尝试作为服务进行身份验证,以便为服务调用提供服务.我对此有点陌生,但我已经学习了一些关于如何在普通"Azure Active Directory 上执行此操作的 Pluralsight 课程,我可以让它工作,但遵循与 B2C 相同的原则是行不通的.
We have setup our application using Azure AD B2C and OAuth, this works fine, however I am trying to authenticate as a service in order to make service to service calls. I am slightly new to this, but I have followed some courses on Pluralsight on how to do this on "normal" Azure Active Directory and I can get it to work, but following the same principles with B2C does not work.
我有这个快速控制台应用程序:
I have this quick console app:
class Program
{
private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"]; //APIClient ApplicationId
private static string appKey = ConfigurationManager.AppSettings["ida:appKey"]; //APIClient Secret
private static string aadInstance = ConfigurationManager.AppSettings["ida:aadInstance"]; //https://login.microsoftonline.com/{0}
private static string tenant = ConfigurationManager.AppSettings["ida:tenant"]; //B2C Tenant
private static string serviceResourceId = ConfigurationManager.AppSettings["ida:serviceResourceID"]; //APP Id URI For API
private static string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
private static AuthenticationContext authContext = new AuthenticationContext(authority);
private static ClientCredential clientCredential = new ClientCredential(clientId, appKey);
static void Main(string[] args)
{
AuthenticationResult result = authContext.AcquireToken(serviceResourceId, clientCredential);
Console.WriteLine("Authenticated succesfully.. making HTTPS call..");
string serviceBaseAddress = "https://localhost:44300/";
HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
HttpResponseMessage response = httpClient.GetAsync(serviceBaseAddress + "api/location?cityName=dc").Result;
if (response.IsSuccessStatusCode)
{
string r = response.Content.ReadAsStringAsync().Result;
Console.WriteLine(r);
}
}
}
服务是这样保护的:
private void ConfigureAuth(IAppBuilder app)
{
var azureADBearerAuthOptions = new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters()
{
ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
}
};
app.UseWindowsAzureActiveDirectoryBearerAuthentication(azureADBearerAuthOptions);
}
在我的 B2C 租户中,我有两个不同的应用程序,它们的设置大致如下:
In my B2C tenant I have two different applications that are pretty much setup as this:
这两个应用程序都设置了来自密钥"选项的秘密.生成的密钥与使用 Azure Active Directory 时的结构略有不同.
Both applications have been setup with secrets coming from the "keys" option. The keys generated are slightly differently structured than when using Azure Active Directory.
我可以成功获取令牌,但是在尝试连接到其他服务时却收到 401.与 Azure Active Directory 相比,在使用 B2C 时,我是否必须在授权方面做一些不同的事情?
I can successfully get a token, but I get 401 when trying to connect to the other service. Do I have to do something different on the authorization side when using B2C compared to Azure Active Directory?
推荐答案
Azure Active Directory B2C 可以向 Web 或本机应用程序访问 API 应用程序颁发访问令牌,如果:
Azure Active Directory B2C can issue access tokens for access by a web or native app to an API app if:
- 这两个应用均已在 B2C 上注册;和
- 访问令牌是作为交互式用户流(即授权代码或隐式流)的结果发布的.
目前,不支持您的特定场景——您需要颁发访问令牌以供守护程序或服务器应用程序访问 API 应用程序(即客户端凭据流)——不受支持,但您可以注册这两个应用都通过 B2C 租户的应用注册"刀片.
Currently, your specific scenario -- where you are needing an access token to be issued for access by a daemon or server app to the API app (i.e. the client credentials flow) -- isn't supported, however you can register both of these apps through the "App Registrations" blade for the B2C tenant.
您可以通过 B2C 在以下位置投票支持对客户端凭据流的支持:
You can upvote support for the client credentials flow by B2C at:
如果 API 应用程序要从网络/本机应用程序以及守护程序/服务器应用程序接收令牌,那么您必须配置 API 应用程序以验证来自两个令牌颁发者的令牌:一个是 B2C,另一个是B2C 租户中的 Azure AD 目录.
If the API app is to receive tokens from both the web/native app as well as the daemon/server app, then you will have to configure the API app to validate tokens from two token issuers: one being B2C and other being the Azure AD directory in your B2C tenant.
这篇关于使用 Azure AD B2C 作为服务进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
