如何跨活动目录添加权限? (有关在天蓝色中设置多租户应用程序的问题)
[英]how to add permissions across active directory? (problems with setting up multi-tenant app in azure)
问题描述
Now I have one App in Azure active directory1, and a web api in Azure active directory2. 
现在,我在Azure活动目录1中有一个应用程序,在Azure活动目录2中有一个Web API。 My aim is to allow users in AAD1 and AAD2 can both login the App. 我的目的是允许AAD1和AAD2中的用户都可以登录该应用程序。
So far I've enabled App and Api as multi-tenant, added each other in the manifest as known client application. 到目前为止,我已将App和Api启用为多租户,并在清单中将它们彼此添加为已知的客户端应用程序。
The things I've not finished yet: add one as a custom domain into the other, add permissions btw api and app, and I met some problems on these two. 我尚未完成的工作:将一个作为自定义域添加到另一个中,向btw api和app添加权限,而我在这两个上遇到了一些问题。
Right now my error msg is: 现在我的错误信息是:
An error has occurred while authorizing access via Authorization Server: unauthorized_client AADSTS65005: Invalid > resource.
When I tried to give the access in the api, in the required permission list, I didn't see the web app (which is in the other directory). 当我尝试在api中的所需权限列表中提供访问权限时,我没有看到该Web应用程序(位于另一个目录中)。 How should I do with it? 我该怎么办?
If I move both App and Api under the same directory, is there anyway that allows users from the other directory to login? 如果我将App和Api都移到同一目录下,是否有其他用户允许登录的目录?
2 个解决方案
解决方案1
1 2017-10-02 23:39:11
In order for you to see the Web API in Tenant 1 as an option for "Required Permission List", you need to provision the service principal for the Web API into Tenant 1. 为了使租户1中的Web API作为“必需的权限列表”的选项可见,您需要将Web API的服务主体设置到租户1中。
You can do this a number of ways, but the easiest way may be to simply sign into the Web API by generating a Login URL. 您可以通过多种方法执行此操作,但是最简单的方法可能是通过生成登录URL来简单地登录Web API。 Once you login, using a user from Tenant 1, the service principal will be provisioned in the tenant, and then be an option available to select. 使用租户1中的用户登录后,将在租户中预配服务主体,然后可以选择该选项。
https://login.microsoftonline.com/common/oauth2/authorize?client_id=<appid>&response_type=code&redirect_uri=<replyurl>&resource=<resource>&prompt=consent
The other option might be to use AAD PowerShell to create a service principal based off your Web API App Id: 另一个选择可能是使用AAD PowerShell根据您的Web API应用ID创建服务主体:
New-AzureADServicePrincipal 新建-天青AD服务主体
New-AzureADServicePrincipal -AccountEnabled $true -AppId $MyApp.AppId -DisplayName $App -Tags {WindowsAzureActiveDirectoryIntegratedApp}
Once you have successfully put the service principal on your required permissions, the error message you described above should go away. 一旦成功将服务主体置于所需的权限上,上述错误消息就会消失。
解决方案2
1 2017-10-03 06:04:47
In addition to Shawn Tabrizi's answer, you can also specify your API as a known client application of the App. 除了Shawn Tabrizi的答案外,您还可以将API指定为该应用程序的已知客户端应用程序。
So in your App's manifest: 因此,在您的应用清单中:
"knownClientApplications": [
"your-api-client-id"
]
Then if you try to authenticate to the App, it can do consent for the API as well at the same time. 然后,如果您尝试对应用进行身份验证,它也可以同时同意该API。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.