堆栈内存溢出
  简体   繁体   English

使用Azure AD B2C进行身份验证

[英]Authenticating as a Service with Azure AD B2C

 原文  2017-10-31 12:36:16       azure/ oauth-2.0/ azure-ad-b2c

问题描述

We have setup our application using Azure AD B2C and OAuth, this works fine, however I am trying to authenticate as a service in order to make service to service calls. 我们已经使用Azure AD B2C和OAuth设置了我们的应用程序,这很好用,但我正在尝试作为服务进行身份验证,以便为服务调用提供服务。 I am slightly new to this, but I have followed some courses on Pluralsight on how to do this on "normal" Azure Active Directory and I can get it to work, but following the same principles with B2C does not work. 我对此稍微有些新意见,但我已经关注了Pluralsight上有关如何在“普通”Azure Active Directory上执行此操作的一些课程,我可以使其工作,但遵循B2C的相同原则不起作用。

I have this quick console app: 我有这个快速控制台应用程序: 

class Program
{
    private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"]; //APIClient ApplicationId
    private static string appKey = ConfigurationManager.AppSettings["ida:appKey"]; //APIClient Secret
    private static string aadInstance = ConfigurationManager.AppSettings["ida:aadInstance"]; //https://login.microsoftonline.com/{0}
    private static string tenant = ConfigurationManager.AppSettings["ida:tenant"]; //B2C Tenant 
    private static string serviceResourceId = ConfigurationManager.AppSettings["ida:serviceResourceID"]; //APP Id URI For API
    private static string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);

    private static AuthenticationContext authContext = new AuthenticationContext(authority);
    private static ClientCredential clientCredential = new ClientCredential(clientId, appKey);

    static void Main(string[] args)
    {
        AuthenticationResult result = authContext.AcquireToken(serviceResourceId, clientCredential);
        Console.WriteLine("Authenticated succesfully.. making HTTPS call..");

        string serviceBaseAddress = "https://localhost:44300/";
        HttpClient httpClient = new HttpClient();
        httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
        HttpResponseMessage response = httpClient.GetAsync(serviceBaseAddress + "api/location?cityName=dc").Result;

        if (response.IsSuccessStatusCode)
        {
            string r = response.Content.ReadAsStringAsync().Result;
            Console.WriteLine(r);
        }
    }
}

And the service is secured like this: 并且服务是这样保护的: 

    private void ConfigureAuth(IAppBuilder app)
    {
        var azureADBearerAuthOptions = new WindowsAzureActiveDirectoryBearerAuthenticationOptions
        {
            Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
            TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters()
            {
                ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
            }
        };

        app.UseWindowsAzureActiveDirectoryBearerAuthentication(azureADBearerAuthOptions);
    }

In my B2C tenant I have two different applications that are pretty much setup as this: 在我的B2C租户中,我有两个不同的应用程序,几乎设置如下:

Azure B2C应用程序设置 Both applications have been setup with secrets coming from the "keys" option. 两个应用程序都设置了来自“密钥”选项的秘密。 The keys generated are slightly differently structured than when using Azure Active Directory. 生成的密钥与使用Azure Active Directory时的结构略有不同。

I can successfully get a token, but I get 401 when trying to connect to the other service. 我可以成功获得令牌,但在尝试连接到其他服务时我得到401。 Do I have to do something different on the authorization side when using B2C compared to Azure Active Directory? 与Azure Active Directory相比,使用B2C时,是否必须在授权方面做一些不同的事情?

2 个解决方案

解决方案1
 5 已采纳  2017-10-31 20:48:49

Azure Active Directory B2C can issue access tokens for access by a web or native app to an API app if: 如果出现以下情况,Azure Active Directory B2C可以发出访问令牌,以便Web或本机应用程序访问API应用程序:

  1. Both of these apps are registered with B2C; 这两个应用程序都在B2C注册; and
  2. The access token is issued as result of an interactive user flow (ie the authorization code or implicit flows). 访问令牌作为交互式用户流(即授权代码或隐式流)的结果发布。

Currently, your specific scenario -- where you are needing an access token to be issued for access by a daemon or server app to the API app (ie the client credentials flow) -- isn't supported, however you can register both of these apps through the “App Registrations” blade for the B2C tenant. 目前,您的特定方案 - 您需要发出访问令牌以供守护程序或服务器应用程序访问API应用程序(即客户端凭据流) - 不受支持,但您可以注册这两个应用程序通过B2C租户的“App Registrations”刀片。

You can upvote support for the client credentials flow by B2C at: 您可以通过以下方式在B2C上支持客户端凭据流:

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/18529918-aadb2c-support-oauth-2-0-client-credential-flow https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/18529918-aadb2c-support-oauth-2-0-client-credential-flow

If the API app is to receive tokens from both the web/native app as well as the daemon/server app, then you will have to configure the API app to validate tokens from two token issuers: one being B2C and other being the Azure AD directory in your B2C tenant. 如果API应用程序要从Web /本机应用程序以及守护程序/服务器应用程序接收令牌,那么您必须配置API应用程序以验证来自两个令牌发行者的令牌:一个是B2C而另一个是Azure AD B2C租户中的目录。

解决方案2
 1  2018-03-13 07:02:03

I found the following very clear article from Microsoft which explains how to set up a "service account" / application which has management access to a B2C tenant . 我从Microsoft找到了以下非常明确的文章,其中解释了如何设置一个“服务帐户”/应用程序,该应用程序具有对B2C租户的管理访问权限 For me, that was the use case for which I wanted to "Authenticating as a Service with Azure AD B2C". 对我来说,这就是我想要“使用Azure AD B2C进行身份验证服务”的用例。

It is possible that having management access to a B2C tenant doesn't allow you access a protected resource for which your B2C tenant is the Authorization server (I haven't tried that), so the OP's use case may be slightly different but it feels very close. 对B2C租户进行管理访问可能无法访问您的B2C租户是授权服务器的受保护资源 (我没有尝试过),因此OP的用例可能略有不同但感觉不一样很接近。

https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet

For automated, continuous tasks, you should use some type of service account that you provide with the necessary privileges to perform management tasks. 对于自动连续任务,您应使用您提供的某种类型的服务帐户以及执行管理任务所需的权限。 In Azure AD, you can do this by registering an application and authenticating to Azure AD. 在Azure AD中,您可以通过注册应用程序并对Azure AD进行身份验证来执行此操作。 This is done by using an Application ID that uses the OAuth 2.0 client credentials grant. 这是通过使用使用OAuth 2.0客户端凭据授权的应用程序ID来完成的。 In this case, the application acts as itself, not as a user, to call the Graph API. 在这种情况下,应用程序作为自身而不是用户来调用Graph API。 In this article, we'll discuss how to perform the automated-use case. 在本文中,我们将讨论如何执行自动用例。 To demonstrate, we'll build a .NET 4.5 B2CGraphClient that performs user create, read, update, and delete (CRUD) operations. 为了演示,我们将构建一个.NET 4.5 B2CGraphClient,它执行用户创建,读取,更新和删除(CRUD)操作。 The client will have a Windows command-line interface (CLI) that allows you to invoke various methods. 客户端将具有Windows命令行界面(CLI),允许您调用各种方法。 However, the code is written to behave in a noninteractive, automated fashion. 但是,代码编写为以非交互式自动方式运行。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Azure AD B2C Android 服务条款和政策 - Terms Of service And Policy on Azure AD B2C Android Azure AD B2C App Service验证密码重置 - Azure AD B2C App Service Auth password reset 面向用户的 Azure AD 和 Azure B2C - Azure AD and Azure B2C for users Azure AD B2C编辑属性 - Azure AD B2C edit attributes 删除 Azure B2C AD 租户 - Delete Azure B2C AD Tenant Azure AD B2C中的自定义策略 - Custom policies in Azure AD B2C Azure AD B2C 创建租户 - Azure AD B2C Create Tenant Azure AD B2C 策略使用 - Azure AD B2C policy usage 将 Azure AD B2C 与机器人结合使用 - Using Azure AD B2C with Bot 带有 spa 和 webapi 的 azure ad b2c - azure ad b2c with spa and webapi
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM