代表客户端应用程序对Azure AD进行身份验证

Question

In a scenario like this: https://github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof

I want to authenticate to Azure AD in the back end on behalf of a client instead of a user. I couldn't find an appropriate example in the documentation that fits this case.

So what am I doing?

In the client:

var authContext = new AuthenticationContext(authorityUrl);
var result = authContext.AcquireTokenAsync(webServiceUri, new ClientCredential(nativeClientId, nativeClientSecret)).GetAwaiter().GetResult();

In the back end service:

var authContext = new AuthenticationContext(authorityUrl);
var result = authContext.AcquireTokenAsync(office365ResourceUri, new ClientAssertion(webClientId, result.AccessToken))

This throws the following exception:

AADSTS70002: Client assertion application identifier doesn't match 'client_id' parameter.

It only succeeds when I'm pointing the same service (refering to itself!) in the back end as from the client:

authContext.AcquireTokenAsync(webServiceUri, new ClientAssertion(nativeClientId, result.AccessToken))

But this doesn't make sense as the service has to go to an Office 365 API.

Anyone an idea?

Answer 1

The OAuth 2.0 On-Behalf-Of flow is to propagate the delegated user identity and permissions through the request chain. For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from Azure Active Directory (Azure AD), on behalf of the user.

In your scenario , you could use client credential flow to acquire token for the office 365 api in your service app , without any human interaction such as an interactive sign-on dialog .

Please click here for more details about Authentication Scenarios for Azure AD .