[英]Authenticate to Azure AD on-behalf-of a client application
In a scenario like this: https://github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof 在这样的情况下: https : //github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof
I want to authenticate to Azure AD in the back end on behalf of a client instead of a user. 我想代表客户端(而不是用户)在后端对Azure AD进行身份验证。 I couldn't find an appropriate example in the documentation that fits this case. 我在适合这种情况的文档中找不到合适的示例。
So what am I doing? 那我在做什么呢?
In the client: 在客户端中:
var authContext = new AuthenticationContext(authorityUrl);
var result = authContext.AcquireTokenAsync(webServiceUri, new ClientCredential(nativeClientId, nativeClientSecret)).GetAwaiter().GetResult();
In the back end service: 在后端服务中:
var authContext = new AuthenticationContext(authorityUrl);
var result = authContext.AcquireTokenAsync(office365ResourceUri, new ClientAssertion(webClientId, result.AccessToken))
This throws the following exception: 这将引发以下异常:
AADSTS70002: Client assertion application identifier doesn't match 'client_id' parameter.
It only succeeds when I'm pointing the same service (refering to itself!) in the back end as from the client: 只有当我在后端指向与客户端相同的服务(指的是自身!)时,它才会成功:
authContext.AcquireTokenAsync(webServiceUri, new ClientAssertion(nativeClientId, result.AccessToken))
But this doesn't make sense as the service has to go to an Office 365 API. 但这没有意义,因为该服务必须转到Office 365 API。
Anyone an idea? 有人知道吗?
The OAuth 2.0 On-Behalf-Of flow is to propagate the delegated user identity and permissions through the request chain. OAuth 2.0代理流程是通过请求链传播委派的用户身份和权限。 For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from Azure Active Directory (Azure AD), on behalf of the user. 为了使中间层服务向下游服务发出经过身份验证的请求,它需要代表用户保护来自Azure Active Directory(Azure AD)的访问令牌。
In your scenario , you could use client credential flow to acquire token for the office 365 api in your service app , without any human interaction such as an interactive sign-on dialog . 在您的方案中,您可以使用客户端凭据流来获取服务应用程序中Office 365 api的令牌,而无需任何人为干预,例如交互式登录对话框。
Please click here for more details about Authentication Scenarios for Azure AD . 请单击此处以获取有关Azure AD身份验证方案的更多详细信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.