如何从客户端机密和开放ID令牌获取访问令牌
[英]How to get access token from client secret and open id token
问题描述
I have a javascript app as my client side app which communicates with a backend server for information. 
我有一个javascript应用程序作为我的客户端应用程序,它与后端服务器进行通信以获取信息。 They are decoupled so when the user logs in there isn't any authentication communication between the server and the client. 它们是分离的,因此当用户登录时,服务器和客户端之间没有任何身份验证通信。
I am trying to setup the server so that I can pass the open id token to the server then have the server redeem the open id token against https://login.microsoftonline.com/common for an access token. 我正在尝试设置服务器,以便可以将开放ID令牌传递给服务器,然后让服务器针对https://login.microsoftonline.com/common兑换开放ID令牌以获取访问令牌。
I have gotten this to work using a certificate (code below) however I cannot seem to get it to work by using a client secret. 我已经使用证书(下面的代码)来使它起作用,但是我似乎无法通过使用客户端机密来使其起作用。
var authority = "https://login.microsoftonline.com/common";
// Construct client assertion certificate
var clientAssertionCertificate = new ClientAssertionCertificate("<client_id", certificate);
var context = new AuthenticationContext(authority);
// User Assertion
var userAssertion = new UserAssertion(id_token);
authenticationResult = await context.AcquireTokenAsync("https://graph.microsoft.com", clientAssertionCertificate, userAssertion);
When I change this out for a client secret it no longer works. 当我将其更改为客户机密时,它将不再起作用。
var authority = "https://login.microsoftonline.com/common";
// Construct client assertion
var clientAssertion = new ClientAssertion("<client_id>", "<client_secret>");
var context = new AuthenticationContext(authority);
// User Assertion
var userAssertion = new UserAssertion(id_token);
authenticationResult = await context.AcquireTokenAsync("https://graph.microsoft.com", clientAssertion, userAssertion);
Looking at the documentation on the constructor of ClientAssertion is says: "Constructor to create credential with a jwt token encoded as a base64 url encoded string." 查看ClientAssertion的构造函数的文档时说:“构造函数以使用jwt令牌创建的凭证创建编码为base64 url编码的字符串。” And the assertion is: "The jwt used as credential.". 断言是:“将jwt用作凭据。”。 This makes me think that the client assertion needs to be an actual json web token. 这使我认为客户端断言必须是实际的json网络令牌。 Am I missing something here? 我在这里想念什么吗? Do I need to actually create/get a JWT from my client secret in order to get an access token from the id token? 为了从id令牌获取访问令牌,我是否需要从客户机密实际创建/获取JWT?
Thanks for the help. 谢谢您的帮助。
1 个解决方案
解决方案1
0 2017-04-05 05:12:44
The JWT Bearer grant type is used when the client wants to receive access tokens without transmitting sensitive information such as the client secret ,we usually use that as an alternative for a client secret in an Authorization Code grant. 当客户端希望接收访问令牌而不传输敏感信息(例如客户端密钥)时,将使用JWT承载授权类型。在授权代码授予中,我们通常将其用作客户端密钥的替代方法。 This can also be used with trusted clients to gain access to user resources without user authorization. 这也可以与受信任的客户端一起使用,以在没有用户授权的情况下访问用户资源。 Please read more about jwt bearer from here . 请从此处阅读有关jwt承载的更多信息。
And usually this assertion type is used to obtain an access token for a downstream service, from an access token presented by a native client. 通常,此断言类型用于从本机客户端提供的访问令牌中获取下游服务的访问令牌。 (See here for an example: https://github.com/AzureADSamples/WebAPI-OnBehalfOf-DotNet ). (请参阅此处的示例: https : //github.com/AzureADSamples/WebAPI-OnBehalfOf-DotNet )。 You could also click here for Authentication Scenarios for Azure AD. 您也可以单击此处以获取Azure AD的身份验证方案。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.