使用客户端凭据流以编程方式在Azure AD中添加应用程序
[英]Adding Applications programmatically in Azure AD using Client Credentials Flow
问题描述
For use with the Azure API Management, I am trying to add Applications to an Azure Active Directory (AAD) programmatically, in my case by using the Graph API. 
为了与Azure API管理一起使用,我尝试以编程方式将应用程序添加到Azure Active Directory(AAD),在我的例子中使用Graph API。
My scenario is the following: In order to secure a Web API I want to manage with Azure API Management, I want to leverage AAD's OAuth functionality to do the heavy lifting regarding authentication and issuing JWT Tokens, and then just use the validate-jwt policy to verify everything is okay in Azure API Management. 我的方案如下:为了保护我想要使用Azure API管理管理的Web API,我想利用AAD的OAuth功能来完成有关身份验证和发布JWT令牌的繁重工作,然后只使用validate-jwt策略验证Azure API管理中的一切正常。 This has the advantage I can more or less omit authentication in my backend service. 这有利于我可以或多或少地在我的后端服务中省略身份验证。
This works fine, as long as I have created an application in the Azure AD for the consuming web application, but this has to be done manually from the Azure Portal; 这可以正常工作,只要我在Azure AD中为使用Web应用程序创建了一个应用程序,但这必须从Azure门户手动完成; Azure APIm does not do it automatically. Azure APIm不会自动执行此操作。
Now for what I am trying to do to get the done automatically: I wanted to delegate the subscription to APIs in APIm to some other web app I am writing, and from there I want to leverage the Graph API to create an Application in the Azure AD and grant permissions to the Application of the API. 现在我正在尝试自动完成这项工作:我想将APIm中的API委托给我正在编写的其他Web应用程序,并从那里开始我想利用Graph API在Azure中创建一个应用程序AD并授予API应用程序的权限。
The first thing I tried to do was to have a third application (my service application) to have full application permissions to the Windows Azure Active Directory application in the Azure AD; 我尝试做的第一件事是让第三个应用程序(我的服务应用程序)拥有Azure AD中Windows Azure Active Directory应用程序的完全应用程序权限; this lets my application access AAD using the Graph REST API. 这使我的应用程序可以使用Graph REST API访问AAD。 I manage to get an Access Token using the client_credentials grant (from login.microsoft.com), but this Token does not let me do a POST on https://graph.windows.net/(my AAD ID)/applications?api-version=1.5 : 我设法使用client_credentials grant(来自login.microsoft.com)获取Access Token,但是这个令牌不允许我在https://graph.windows.net/(my AAD ID)/applications?api-version=1.5上发布POST https://graph.windows.net/(my AAD ID)/applications?api-version=1.5 :
{
"odata.error": {
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
}
}
}
I found ( https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes ) that even if I grant the Directory.ReadWrite.All permission, the application (app-only) will not be able to create or update Applications: 我发现( https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes ),即使我授予Directory.ReadWrite.All权限,该应用程序(仅限app)将无法创建或更新应用程序:
Note : Specifically excludes create or update for entities not listed above.
The next thing I tried was the Resource Owner Password Grant ( grant_type=password ), passing my own credentials additionally, so that I can impersonate myself in the Graph API. 我尝试的下一件事是资源所有者密码授权( grant_type=password ),另外传递我自己的凭据,以便我可以在Graph API中模仿自己。 Now, my POST to the applications end point succeeds. 现在,我对applications端点的POST成功了。
My bottom-of-the-line question is: Can I grant sufficient permissions to my application so that I can add applications programmatically using the client credentials flow, and not any flow which acts on behalf of a user? 我的最后一个问题是:我是否可以为我的应用程序授予足够的权限,以便我可以使用客户端凭据流以编程方式添加应用程序,而不是代表用户执行的任何流程? And if so, how is it done? 如果是这样,它是如何完成的?
1 个解决方案
解决方案1
5 已采纳 2016-01-28 22:54:00
Sorry Don. 对不起唐。 We don't currently have any permission scopes for the client credential flow (app-only) that can be used to create applications or service principals or create any oauth2 permission grants (or any of the other entities that you mentioned above through the Directory.ReadWrite.All permission). 我们目前没有任何客户端凭据流(仅限app)的权限范围,可用于创建应用程序或服务主体或创建任何oauth2权限授予(或上面通过目录提到的任何其他实体)。 ReadWrite.All权限)。 We are working on additional app-only permissions that will enable you to light up this scenario, but I don't have an ETA that I can give you. 我们正在开发其他仅限应用程序的权限,以便您点亮此方案,但我没有可以提供给您的ETA。
This operation should be possible if you use the app+user (code flow) and grant the app the Directory.AccessAsUser.All permission - as long as there is a user using your app AND that they are a tenant admin. 如果您使用app +用户(代码流)并向应用授予Directory.AccessAsUser.All权限,则应该可以执行此操作 - 只要有用户使用您的应用并且他们是租户管理员。 Not sure if this is an acceptable workaround for you (and I guess is similar to what you are using with the password flow - although I would recommend you use the code flow here). 不确定这是否是一个可接受的解决方法(我猜这与你使用的密码流类似 - 虽然我建议你在这里使用代码流)。
UPDATE : There are a couple of new app only permissions we added for AAD Graph. 更新 :我们为AAD Graph添加了几个新的应用程序权限。 Application.ReadWrite.OwnedBy (which allows an app to create/own another app - but only update the apps it created - it won't be able to touch any other apps it doesn't own) AND Application.ReadWrite.All (which allows an app to create/manage ALL apps in a tenant). Application.ReadWrite.OwnedBy(允许应用创建/拥有另一个应用 - 但只更新它创建的应用 - 它将无法触及它不拥有的任何其他应用)和Application.ReadWrite.All(其中允许应用程序创建/管理租户中的所有应用程序)。 Seems like the first one would be appropriate. 似乎第一个是合适的。 You should see these show up in the Azure Portal for the AAD Graph resource. 您应该看到这些显示在Azure门户中的AAD Graph资源。 However they are not currently documented AFAIK. 但是他们目前没有记录AFAIK。
Hope this helps, 希望这可以帮助,
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.