使用 Azure AD 令牌通过 Azure DevOps 进行身份验证 [英] Use Azure AD token to authenticate with Azure DevOps
问题描述
我正在编写一个 Web API.它所做的其中一件事是使用 Team Foundation Core DLL 访问 Azure DevOps.由于我们得到 Azure AD(Azure Active Directory)的支持,我想我可以让我的应用程序针对 Azure AD 进行身份验证,并将该令牌/授权用于 Azure DevOps.这不是它要进行身份验证的唯一服务.我可以这样做吗?我还有什么其他方法可以实现这个目标?我不想在每次访问独特服务时提示用户对 Azure AD 进行授权,尤其是因为它们都由 Azure AD 提供支持.
I'm writing a web API. One of the things it does is hit Azure DevOps using the Team Foundation Core DLLs. As we are backed by Azure AD (Azure Active Directory) I was thinking that I could have my app authenticate against Azure AD and use that token/authorization for Azure DevOps. This isn't the only service that it is going to authenticate with. Can I do this? what other ways can I achieve this goal? I don't want to prompt the user to authorize against Azure AD each time it goes to hit a unique service, especially as they are all backed by Azure AD.
推荐答案
是的,你可以这样做.
注意:我假设您的 API 受 Azure AD 保护,并且为了调用您的 API,用户需要使用 Azure AD 登录您的 API 客户端.
Note: I'm assuming your API is secured by Azure AD, and that in order to call your API, users need to sign in to the client of your API with Azure AD.
假设您希望您的 API 不仅向 Azure DevOps 发出请求,而且向 Microsoft Graph 发出请求(以 Azure AD 保护的另一个 API 为例——这当然可以是任何其他 API,包括第二个 API您自己的),并且您希望这些请求代表已登录的用户.即代表 API 收到的访问令牌中标识的用户.
Let's say you wanted your API to make requests not only to Azure DevOps, but also to Microsoft Graph (to take an example of another API secured by Azure AD--this could of course be any other API, including a second API of your own), and that you wanted those requests to be on behalf of the signed-in user. That is, on behalf of the user who is identified in the access token received by the API.
您可以执行以下操作(下图):
You could do the following (diagram below):
- 用户使用 Azure AD 登录客户端应用程序,客户端应用程序为您的 API 请求和访问令牌.
- 客户端应用在发出任何 API 请求时(例如在 Authorization 标头中)向您的 API 提供此访问令牌,并且您的 API 会执行所有必要的验证.
- 您的 API 获取它收到的访问令牌,并将其提供给 Azure AD,代表"已登录用户从提供的访问令牌中请求一个新访问令牌,但对于不同的资源:Azure DevOps.假设所有正确的权限和同意都已到位,Azure AD 会使用 Azure DevOps 的访问令牌响应 API.
- 向 Azure DevOps 发出请求时,API 会显示此访问令牌.
- 您的 API 还希望调用 Microsoft Graph(例如,获取有关用户的更多详细信息,或发送电子邮件或其他内容),因此 API 再次转到 Azure AD,显示它在 (2) 中收到的访问令牌,向 Microsoft Graph 请求令牌.如果同意和权限签出,则 Azure AD 符合要求.
- 在向 Microsoft Graph 发出请求时,您的 API 使用第三个访问令牌.
- A user signs in with Azure AD to the client application, and the client application requests and access token for your API.
- The client app presents this access token to your API when making any API requests (e.g. in the Authorization header), and your API does all the necessary validations.
- Your API takes the access token it received, and presents it to Azure AD, requesting a new access token "on behalf of" the signed-in user from the presented access token, but for a different resource: Azure DevOps. Assuming all the right permissions and consent are in place, Azure AD responds to the API with an access token for Azure DevOps.
- The API presents this access token when making requests to Azure DevOps.
- Your API also wants to call Microsoft Graph (e.g. to get more details about to user, or to send an email or something), so the API again goes to Azure AD, presenting the access token it received in (2), asking for a token to Microsoft Graph. If consent and permissions check out, Azure AD complies.
- Your API uses this third access token when making requests to Microsoft Graph.
+--------+ +-----------+ +-----------------+
(User)+---> +-(2)--> +-(4)---> |
| Client | | Your API <-------+ Azure DevOps |
| <------+ | | |
+----^---+ | +-(6)+ +-----------------+
| | | <--+ |
| | +---^----^--+ | | +-----------------+
(1) (3) (5) | +--> |
| | || || +----+ Microsoft Graph |
| | +--v----v--+ | (or other API) |
| +--------> | | |
| | Azure AD | +-----------------+
+----------+ |
+----------+
Azure AD 文档中描述了详细的令牌流(对于 v1 端点 和 v2 端点).
The detailed token flow is described in the Azure AD documentation (for both the v1 endpoint and the v2 endpoint).
当然,这里的所有复杂性以及令牌缓存和刷新都应该由 ADAL 或 MSAL 等简单库处理,这两个库都有代表流程的 wiki 页面(与 ADAL,与 MSAL).这是 ADAL 的总结示例(取自 To
Of course, all the complexities here, as well as token caching and refreshing, should be handled by simple libraries such as ADAL or MSAL, both of which have wiki pages for the on-behalf-of flow (with ADAL, with MSAL). Here's a summarized example of what it looks like with ADAL (taken from the To
// Use ADAL to get a token On Behalf Of the current user. To do this we will need:
// The Resource ID of the service we want to call.
// The current user's access token, from the current request's authorization header.
// The credentials of this application.
// The username of the user calling the API
//
string resourceId = "499b84ac-1321-427f-aa17-267ca6975798"; // this is the Azure DevOps app ID
string userName = "...";// get from incoming token
string userAccessToken = "..." // from incoming Authorization header;
UserAssertion userAssertion = new UserAssertion(userAccessToken, "urn:ietf:params:oauth:grant-type:jwt-bearer", userName);
ClientCredential clientCred = new ClientCredential(clientId, appKey);
AuthenticationContext authContext = new AuthenticationContext(authority, tokenCache);
// Now make the on-behalf-of request
result = await authContext.AcquireTokenAsync(resourceId, clientCred, userAssertion);
accessToken = result.AccessToken; // <-- this is a token for Azure DevOps!
这篇关于使用 Azure AD 令牌通过 Azure DevOps 进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
