堆栈内存溢出
  简体   繁体   English

在ASP.NET Core 2.0中授权一项应用程序服务与另一项应用程序服务(无用户交互)

[英]Authorize one app service from another (no user interaction) in ASP.NET Core 2.0

 原文  2017-11-09 17:17:18       c#/ azure/ azure-web-sites/ azure-active-directory/ asp.net-core-2.0

问题描述

I have a Web API app in Azure facing internet (PubWeb), so it's used from anywhere. 我在面向Internet的Azure(PubWeb)中有一个Web API应用程序,因此可以在任何地方使用它。 And I created a Web API (again, in Azure, let's call it InWeb). 我创建了一个Web API(再次在Azure中,我们称其为InWeb)。 And I want strong security rules: 我想要强大的安全性规则:

  1. InWeb must be used only by the PubWeb. InWeb必须仅由PubWeb使用。 This might involve some network security - that's an easy part (in Azure). 这可能涉及一些网络安全性-在Azure中这很容易。
  2. PubWeb must be authorized by Azure AD somehow in order to use InWeb services. 必须使用Azure AD授权PubWeb,才能使用InWeb服务。 Service Principals, certificates, etc comes to mind. 想到服务主体,证书等。 But I'm not sure. 但是我不确定。

So what's the best possible solution for 2? 那么2的最佳解决方案是什么?

UPDATE - here's InWeb Core 2.0 Auth setup: 更新 -这是InWeb Core 2.0身份验证设置: 

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication(sharedOptions =>
    {
        sharedOptions.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
    })
    .AddAzureAdBearer(options => Configuration.Bind("AzureAd", options));

    services.AddMvc(options => { options.InputFormatters.Add(new TextPlainInputFormatter()); });
}

1 个解决方案

解决方案1
 5 已采纳  2017-11-09 19:45:10

You will have to register both APIs as applications in Azure AD. 您必须将两个API都注册为Azure AD中的应用程序。 This can be done from the Azure Active Directory blade's App registrations . 这可以通过Azure Active Directory刀片服务器的应用程序注册来完成

Now I assume the calls to PubWeb are not authenticated with Azure AD bearer tokens. 现在,我假设未使用Azure AD承载令牌对对PubWeb的调用进行身份验证。 That means your only option is to use application permissions and the client credentials grant when calling InWeb. 这意味着您唯一的选择是在调用InWeb时使用应用程序权限和客户端凭据授予。

To define an application permission, you must add an "app role" to InWeb's manifest. 要定义应用程序权限,必须在InWeb的清单中添加“应用程序角色”。 You can open the manifest by clicking the Manifest button in the InWeb application's blade in Azure AD. 您可以通过单击Azure AD中InWeb应用程序刀片中的“清单”按钮来打开清单。

Here is an example app role: 这是一个示例应用角色: 

"appRoles": [
{
  "allowedMemberTypes": [
    "Application"
  ],
  "displayName": "Read all things",
  "id": "32028ccd-3212-4f39-3212-beabd6787d81",
  "isEnabled": true,
  "description": "Allow the application to read all things as itself.",
  "value": "Things.Read.All"
}
],

You should generate a new id for it, and set the display name and description to whatever you want. 您应该为其生成一个新的ID,并将显示名称和描述设置为所需的任何名称。 The value is what will be present in the token when PubWeb calls InWeb. 是当PubWeb调用InWeb时令牌中将出现的

Now you have to go PubWeb's blade, and go to Required permissions. 现在,您必须转到PubWeb的刀片服务器,然后转到“必需”权限。

There you must go to Add -> Select InWeb -> Tick the application permission you just defined. 在那里,您必须转到添加->选择InWeb->选中刚定义的应用程序权限。

And then click Grant permissions . 然后单击“ 授予权限” Now PubWeb has rights to call InWeb. 现在PubWeb有权调用InWeb。

You will also need to generate a key/client secret for PubWeb. 您还需要为PubWeb生成密钥/客户端密钥。 That is essentially its password. 那实际上是它的密码。 You will also need the client id/application id of PubWeb. 您还将需要PubWeb的客户端ID /应用ID。

You will also need the App ID URI of InWeb. 您还将需要InWeb的应用程序ID URI You can find it from its Properties in its blade in Azure AD. 您可以在Azure AD的刀片中的“属性”中找到它。 This will be the resource we will acquire a token for from PubWeb. 这将是我们将从PubWeb获得令牌的资源

You will also need your Azure AD's id. 您还将需要您的Azure AD的ID。 You can find it from Properties in the main Azure AD blade. 您可以从主Azure AD刀片服务器的“属性”中找到它。

Now to get the token, you need to use the OAuth2 client credentials grant flow. 现在,要获取令牌,您需要使用OAuth2客户端凭据授予流程。 Easiest way is to use a library like ADAL: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-libraries . 最简单的方法是使用类似ADAL的库: https ://docs.microsoft.com/zh-cn/azure/active-directory/develop/active-directory-authentication-libraries。

If you want to do it manually, you can find detailed info on the HTTP call here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service#service-to-service-access-token-request 如果要手动执行此操作,可以在以下HTTP调用中找到详细信息: https : //docs.microsoft.com/zh-cn/azure/active-directory/develop/active-directory-protocols-oauth-service -to-服务#服务到服务的访问令牌请求

It looks something like this: 看起来像这样: 

POST /contoso.com/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&client_id=625bc9f6-3bf6-4b6d-94ba-e97cf07a22de&client_secret=qkDwDJlDfig2IpeuUZYKH1Wb8q1V0ju6sILxQQqhJ+s=&resource=https%3A%2F%2Fservice.contoso.com%2F

Set the client id to PubWeb's client id, and the client secret to PubWeb's client secret. 将客户端ID设置为PubWeb的客户端ID,并将客户端密钥设置为PubWeb的客户端密钥。 The resource should be the App ID URI of InWeb. 资源应为InWeb的App ID URI。

You should receive an access token in response, which you will need to attach to request's you make to InWeb as a header: 您应该收到一个访问令牌作为响应,您需要将其附加到您在InWeb上发出的请求作为标头: 

Authorization: Bearer access-token-here

Now of course InWeb will also have to authenticate the token. 现在,当然,InWeb还必须对令牌进行身份验证。 Here is a .NET example app (there are examples for others too): https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-oauth2-appidentity/blob/master/TodoListService/App_Start/Startup.Auth.cs 这是一个.NET示例应用程序(也有其他示例): https : //github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-oauth2-appidentity/blob/master/TodoListService/App_Start/ Startup.Auth.cs

That project actually also has a client calling the API with the client credentials flow: https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-oauth2-appidentity/blob/master/TodoListWebApp/Controllers/TodoListController.cs#L95 . 该项目实际上还具有一个使用客户端凭证流调用该API的客户端: https : //github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-oauth2-appidentity/blob/master/TodoListWebApp/Controllers/ TodoListController.cs#L95

Sorry for the lengthy answer, I wanted to put in a bit of detail :) 抱歉,冗长的答案,我想再详细一点:)

But feel free to ask if you have questions about some specific parts. 但是,请随时询问您是否对某些特定部分有疑问。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 ASP.NET Core 2.0-Razor-授权 - ASP.NET Core 2.0 - Razor - Authorize Asp.net Core授权用户使用策略 - Asp.net Core Authorize user with Policy 如何将UserManager注入到ASP.NET Core 2.0中的另一个服务 - How to inject UserManager to another service in ASP.NET Core 2.0 ASP.NET CORE 2.0-[授权]不会阻止其余api访问未经授权的用户 - ASP.NET CORE 2.0 - [Authorize] doen't block the rest api access to unauthorized user ASP.NET Core 2.0无法在Razor视图或控制器[authorize]注释中检查用户是否正确处于角色中 - ASP.NET Core 2.0 unable to check if user is in role properly in Razor view or controller [authorize] annotation 从 ASP.NET Core 2.0 控制台应用程序监控 Azure 服务总线队列深度 - Monitoring Azure Service Bus Queue Depth from ASP.NET Core 2.0 Console App ASP.NET核心使用来自appsettings的AD组授权角色 - ASP.NET core authorize role with AD group from appsettings ASP.NET Core 2.0服务寿命 - ASP.NET Core 2.0 service life time asp.net core 2.0 中的 WCF 服务凭据 - WCF service credentials in asp.net core 2.0 ASP.NET Core 2.0 HttpSys Windows 身份验证因 Authorize 属性而失败(InvalidOperationException:未指定身份验证方案) - ASP.NET Core 2.0 HttpSys Windows Authentication fails with Authorize attribute (InvalidOperationException: No authenticationScheme was specified)
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM