Azure AD Graph API访问,不使用客户端ID和密钥
[英]Azure AD Graph API access without using client id and secret key
问题描述
I have a back-end service that needs to read from and write into Azure AD. 
我有一个需要读取和写入Azure AD的后端服务。 I was able to read and write using graph api by authenticating using tenant info, client id and secret key (these values come from Authentication Scenarios for Azure AD | Basics of Registering an Application in Azure AD ). 通过使用租户信息,客户端ID和密钥进行身份验证,我能够使用图形api进行读写:这些值来自Azure AD的身份验证方案|在Azure AD中注册应用程序的基础知识 。
Using the tenant info, client id and secret key for authentication means that end users need to register their tenants by manually specifying these values and I am trying to avoid this manual step of registration where users need to specify these values. 使用租户信息,客户端ID和密钥进行身份验证意味着最终用户需要通过手动指定这些值来注册他们的租户,我试图避免这种手动注册步骤,用户需要指定这些值。
I have also looked at the multi-tenant application admin/user consent and its associated sample Integrating applications with azure active directory . 我还查看了多租户应用程序管理员/用户同意及其相关示例将应用程序与azure活动目录集成 。 However, the issue with the admin consent is that it enables all users in the directory to have access to the directory. 但是,管理员同意的问题是它允许目录中的所有用户都可以访问该目录。
Is there any other way where I can provide a registration link of some sort, let the global admin user authenticate and consent for permission at which point some sort of an access or refresh token can be persisted for use by the back-end service? 有没有其他方法可以提供某种注册链接,让全局管理员用户进行身份验证并同意权限,此时可以保留某种访问或刷新令牌以供后端服务使用?
1 个解决方案
解决方案1
0 2017-04-04 14:40:24
I have the reverse problem (see How to use Azure AD Graph API access for service principals? ), but can answer your question. 我有相反的问题(请参阅如何使用Azure AD Graph API访问服务主体? ),但可以回答您的问题。 Daemon apps can run as either single tenant or multi-tenant, and use user/password authentication, so can be limited to the rights/roles for that user. 守护程序应用程序可以作为单租户或多租户运行,并使用用户/密码身份验证,因此可以限制为该用户的权限/角色。 I've tested this by using both client ID/secret and user/password using the same app for both - you just need to add the required permissions to the app for the user/password case (that doesn't seem to apply for SP's). 我已经使用相同的应用程序同时使用客户端ID /密码和用户/密码对此进行了测试 - 您只需要为应用程序添加用户/密码案例所需的权限(这似乎不适用于SP的)。
In my case, I'm using adal4j, but I'm sure you can adapt it as needed, eg: 就我而言,我正在使用adal4j,但我确信你可以根据需要调整它,例如:
final ExecutorService service = Executors.newFixedThreadPool(1);
final AuthenticationContext context = new AuthenticationContext(authority, true, service);
final Future<AuthenticationResult> future = context.acquireToken("https://graph.windows.net", clientID, userName, decryptedPassword, null);
final AuthenticationResult result = future.get();
...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.