在 Azure AD 中配置应用程序权限 [英] Configure Application Permissions in Azure AD
问题描述
背景
我在 Azure AD 中注册了一个 Web API,并使用 WindowsAzureActiveDirectoryBearerAuthentication(OAuth2 持有者令牌)进行保护.这是一个 B2B 类型的场景,其中没有交互式用户 - 调用 API 的应用程序是类似守护进程的后台应用程序.因此,我不需要任何同意经验 - 我只希望受信任的应用程序能够调用 API,而其他应用程序 - 即使它们提供有效的 OAuth 令牌 - 也会被拒绝.
我尝试过的
,但这似乎没有效果.
"oauth2Permissions": [{...类型":管理员",...}问题
我是否正确,应用程序权限是我的方案的最佳解决方案?如果是这样,我该如何配置它?或者,正如我所担心的,这是 On The Roadmap™ 中的另一个功能,但目前还没有功能?
本,应用程序权限在清单的 appRoles 部分中声明.实际上,如果您在资源应用程序的(存储代理演示)清单中声明一个名为 say 'trusted' 的 appRole - 它会显示在应用程序权限下拉列表中.然后,当您将该应用程序权限分配给客户端应用程序时 - 客户端应用程序将使用客户端凭据 OAuth 流接收的访问令牌将包含一个角色声明,其值为受信任".租户中的其他应用程序也将能够为您的资源应用程序获取访问令牌 - 但它们不会拥有受信任"角色声明.有关详细信息,请参阅此博客文章:http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/
最后,上述将应用程序权限分配给客户端应用程序的方法仅在资源和客户端应用程序都在同一目录中声明时才有效 - 但是如果这些应用程序是多租户并且客户将单独安装这些应用程序 -客户目录中的全局管理员将需要同意客户端应用程序 - 这将导致将应用程序权限分配给客户租户中的客户端应用程序实例.(我的博文也涵盖了这一点)
希望这会有所帮助.
ps:如果您遇到问题 - 请随时在 http://www 的联系页面上联系我.dushyantgill.com/blog
Background
I have a Web API registered in Azure AD and secured using WindowsAzureActiveDirectoryBearerAuthentication (OAuth2 bearer token). This is a B2B-type scenario where there are no interactive users - the applications calling the API are daemon-like background apps. As such, I don't need any consent experience - I just want trusted applications to be able to call the API, and other applications - even if they present a valid OAuth token - to be denied.
What I've tried
This sample seemed to describe my scenario almost exactly. However, the way it determines if a caller is a trusted app or not is by comparing the clientID presented via a claim by the caller to a hard-coded value. Obviously you could store the list of trusted clientIDs externally instead of hardcoding, but it seems like I should be able to accomplish this via configuration in the AAD portal so that a) I don't have to maintain a list of clientIDs, and b) I don't have to write my own authorization logic.
It seems like I should be able to define a permission for my API, grant that permission to each calling app in AAD (or a one-time admin consent), and then in my API just check for the presence of that permission in the scp claim.
From looking at the portal it seems like this is what Application Permissions are intended for:
I can create a permission just fine via the application manifest. Unfortunately, I can't figure out how to specify that it's an Application Permission, not a Delegated Permission! I tried changing the type from User to Admin as described on MSDN, but that seemed to have no effect.
"oauth2Permissions": [
{
...
"type": "Admin",
...
}
Question
Am I correct that Application Permissions are the best solution for my scenario? If so, how do I configure it? Or, as I fear, is this yet another feature that is On The Roadmap™ but not currently functional?
Ben, Application Permissions are declared in the appRoles section of the manifest. Indeed, if you declare an appRole called say 'trusted' in your resource application's (storage broker demo) manifest - it will show up in the Application Permissions drop down there. Then, when you assign that Application Permission to the client app - the access token that the client app will receive using the client credentials OAuth flow will contain a roles claim with value 'trusted'. Other apps in the tenant will also be able to get an access token for your resource app - but they wont have the 'trusted' roles claim. See this blog post for details: http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/
Finally, the above way to assign an application permission to a client app only works when both the resource and client application are declared in the same directory - if however these apps are multi-tenant and a customer will install these apps separately - a global admin from customer's directory will need to consent to the client app - which will result in the application permission getting assigned to the instance of client app in the customer's tenant. (my blog post covers this too)
Hope this helps.
ps: if you're stuck - feel free to ping me on the contact page of http://www.dushyantgill.com/blog
这篇关于在 Azure AD 中配置应用程序权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
