如何使 Azure AD access_token 在 Microsoft Graph API 之外对其签名验证兼容? [英] How to make Azure AD access_token compliant for its signature validation outside Microsoft Graph APIs?

问题描述

我创建了一个 Azure AD 移动和桌面应用程序.现在我正在使用以下 API 获取我的 access_token，

POST

这是为客户端应用程序授予权限:

最后，您可以为您的 api 应用程序请求一个令牌(注意 resource 参数不再是 Microsoft Graph API，它是您的 API 应用程序的客户端 ID 和您在清单).

更新:

仅针对应用程序权限，一般不推荐使用 ROPC 流.建议您使用

I have created a Azure AD Mobile and desktop applications. Now I am getting my access_token using following API,

POST https://login.microsoftonline.com/{Directory (tenant) ID }/oauth2/token password:pass client_id:id resource:https://graph.microsoft.com grant_type:password client_secret:secret username:userName scope: openid

The response looks like, "access_token": "acessToken", "refresh_token": "refereshToken", "id_token": "id_token".

Now I am passing the access_token to a third party application which is configured with same Azure AD client. When that third party application tries to validate the signature, the operation fails. Then got to know its because of nonce which is available for only microsoft graph APIs. Now how to remove the same or make my access_token signature verification compliant?

解决方案

You need to create another Azure AD application that represents the web api, and then use your client application to call the web api application.

First, you need to expose the api of the application representing the web api, you can configure it according to the following process:

Azure portal>App registrations>Expose an API>Add a scope>Add a client application

Next, you need to define the manifest of api applications and grant application permissions to your client applications (this is the role permissions you define yourself, you can find it in My APIs when you add permissions)

This is the process of defining the manifest.

This is to grant permissions for the client application:

Finally, you can request a token for your api application (note that the resource parameter is no longer the Microsoft Graph API, it is the client ID of your API application and your custom role permissions in the manifest).

Update:

For application permissions only, ROPC flow is generally not recommended. It is recommended that you use the client credential flow based on the v2.0 endpoint. When using v2.0 endpoints, resources will no longer be used as parameters, but scope will be used as parameters, but their functions are the same. (Please note that the scope parameter is like this:api://a13b414b-93b3-4aae-bb-xxxxxxxxx/.default).

Parse the token and you will see the customized app Roles.

这篇关于如何使 Azure AD access_token 在 Microsoft Graph API 之外对其签名验证兼容?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！