堆栈内存溢出
  简体   繁体   English

Azure AD B2C 中的 Web API 链(代表)

[英]Web API chains (On-Behalf-Of) in Azure AD B2C

 原文  2017-12-27 20:24:07       oauth-2.0/ azure-ad-b2c

问题描述

According to this documentation , the on-behalf-of flow is not supported in B2C:根据此文档,B2C 不支持代表流程:

Web API chains (On-Behalf-Of) is not supported by Azure AD B2C. Azure AD B2C 不支持 Web API 链(代表)。

Many architectures include a web API that needs to call another downstream web API, both secured by Azure AD B2C.许多体系结构都包含一个需要调用另一个下游 Web API 的 Web API,两者都由 Azure AD B2C 保护。 This scenario is common in native clients that have a web API back end, which in turn calls a Microsoft online service such as the Azure AD Graph API.这种情况在具有 Web API 后端的本机客户端中很常见,后端又调用 Microsoft 在线服务,例如 Azure AD Graph API。

This chained web API scenario can be supported by using the OAuth 2.0 JWT Bearer Credential grant, otherwise known as the On-Behalf-Of flow.可以使用 OAuth 2.0 JWT Bearer Credential 授权(也称为 On-Behalf-Of 流)来支持这种链式 Web API 场景。 However, the On-Behalf-Of flow is not currently implemented in Azure AD B2C.但是,当前未在 Azure AD B2C 中实现 On-Behalf-Of 流。

Can't I just pull out the JWT from the first Web API request and pass it along to the next Web API?我不能从第一个 Web API 请求中提取 JWT 并将其传递给下一个 Web API 吗? I know technically, I can, but is there a reason I wouldn't want to?我知道从技术上讲,我可以,但有什么理由我不想这样做吗?

This approach would only work if both Web API's are configured for the same B2C App.这种方法只有在为同一个 B2C 应用程序配置了两个 Web API 时才有效。 Maybe that is the difference.也许这就是区别。 Is the documentation referring to 2 separate B2C apps maybe?文档可能是指 2 个独立的 B2C 应用程序吗?

Reference: Access the JWT bearer token when using the JWT middleware in ASP.NET Core参考: 在 ASP.NET Core 中使用 JWT 中间件时访问 JWT 不记名令牌

1 个解决方案

解决方案1
 7  2017-12-28 01:42:57

The OAuth 2.0 On-Behalf-Of flow is related to a first resource, "https://resourceserver1", receiving an access token from a client; OAuth 2.0 On-Behalf-Of流程与第一资源“https://resourceserver1”相关,从客户端接收访问令牌; then exchanging this access token for another access token for access by the delegated identity to a second resource, "https://resourceserver2" without any user interaction;然后将此访问令牌交换为另一个访问令牌,以便委托身份访问第二个资源“https://resourceserver2”,无需任何用户交互; and then sending that access token to the second resource.然后将该访问令牌发送到第二个资源。

This Azure AD documentation explains the On-Behalf-Of flow. 此 Azure AD 文档解释了代表流程。

Given this, two different applications are necessary for two different resources, which in turn can require two different scopes.鉴于此,两个不同的资源需要两个不同的应用程序,而这又可能需要两个不同的范围。

You can vote for this feature at B2C Support for on-behalf-of flow .您可以在B2C 支持代表流量投票支持此功能。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Azure AD On-Behalf-Of with oAuth&SAML - Azure AD On-Behalf-Of with oAuth & SAML 如何在 b2c 客户端中验证 azure ad oauth2.0 web api - how to authenticate azure ad oauth2.0 web api in b2c clients 从 SPA 调用 web api 给出错误:Azure AD b2c - Calling web api from SPA giving error: Azure AD b2c Azure AD B2C Graph API 401 未经授权 - Azure AD B2C Graph API 401 Unauthorized 使用Graph API更改Azure AD B2C用户密码 - Change Azure AD B2C User Password with Graph API Azure AD 中的 jwt-bearer 代表授权问题 - Issue with jwt-bearer on-behalf-of grant in Azure AD 使用单独的前端和后端应用程序的 Azure AD 代表身份验证 - Azure AD On-Behalf-Of authentication with separate frontend and backend applications 使用Azure AD B2C进行身份验证 - Authenticating as a Service with Azure AD B2C Azure AD B2C中的吊销终结点 - Revocation endpoint in Azure AD B2C 使用Microsoft在线帐户进行Angular 4/5登录,而无需创建azure ad b2c应用程序并与Web API通信(.net core 2.0) - Angular 4/5 login with microsoft online account without creating a azure ad b2c app and communicate with Web API (.net core 2.0)
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM