堆栈内存溢出
  简体   繁体   English

dotnet core 2 API和守护程序应用程序中的Azure AD身份验证

[英]Azure AD Authentication in dotnet core 2 API and daemon application

 原文  2018-05-06 04:58:32       azure/ .net-core/ asp.net-web-api2/ azure-active-directory

问题描述

I'm struggling to determine the best route to authenticate using Azure Active Directory for my dotnet core web API. 我正在努力确定使用Azure Active Directory为我的dotnet核心Web API进行身份验证的最佳途径。

Here is the situation: 情况如下:

  • An application created in Azure Active Directory that the Web API authenticates users. 在Azure Active Directory中创建的应用程序,Web API对用户进行身份验证。 It has multiple application roles associated with it. 它有多个与之关联的应用程序角色。
  • A daemon application that needs to authenticate to the Web API. 需要对Web API进行身份验证的守护程序应用程序。

What is the best solution to solve the authentication situation? 解决身份验证问题的最佳解决方案是什么? It's difficult to find clear documentation on how to actually solve this. 很难找到关于如何实际解决这个问题的明确文档。

Thank you for your advice and help! 感谢您的建议和帮助!

1 个解决方案

解决方案1
 3 已采纳  2018-05-06 15:28:23

Your daemon app will need to use application permissions (app roles with member type = Application) to call the API. 您的守护程序应用程序需要使用应用程序权限(具有成员类型=应用程序的应用程序角色)来调用API。 You can see how to define those here: https://joonasw.net/view/defining-permissions-and-roles-in-aad . 您可以在此处查看如何定义这些内容: https//joonasw.net/view/defining-permissions-and-roles-in-aad

For example, this is how one looks like in the manifest: 例如,这就是清单中的样子: 

{
  "appRoles": [
  {
    "allowedMemberTypes": [
      "Application"
    ],
    "displayName": "Read all todo items",
    "id": "f8d39977-e31e-460b-b92c-9bef51d14f98",
    "isEnabled": true,
    "description": "Allow the application to read all todo items as itself.",
    "value": "Todo.Read.All"
  }
  ]
}

Then you assign the app permission to your daemon app. 然后,将应用程序权限分配给您的守护程序应用程序。

After that it's a simple matter of authenticating with client credentials from the daemon app. 之后,使用守护程序应用程序的客户端凭据进行身份验证很简单。 With ADAL.NET for example, you would acquire a token with ClientCredential + the resource URI of the API. 例如,使用ADAL.NET,您将获得具有ClientCredential + API的资源URI的令牌。 You can find the URI from your API's app registration (Properties blade, App ID URI). 您可以从API的应用程序注册(属性刀片,应用程序ID URI)中找到URI。

You can then attach the resulting access token to HTTP requests and the API can find from the appid claim who the calling app is, and from the roles claim what app permissions they have. 然后,您可以将生成的访问令牌附加到HTTP请求,API可以从appid声明调用应用程序是谁,并从roles声明他们拥有的应用程序权限。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用 Azure AD 进行 Dotnet 核心身份验证 - Dotnet core Identity authentication with Azure AD Azure AD 认证与 .NET 核心 Web ZDB974238714CA8DE634A7CE1D083A14 - Azure AD Authentication with .NET Core Web API 使用 Azure AD 验证返回 401 - Sending a GET request to an ASP.NET Core Web Application API using Azure AD Authentication returns 401 从守护程序应用程序调用 Azure 中的 ASP .NET Core API - Call ASP .NET Core API in Azure from daemon application ASP.NET Core Web应用程序的Azure AD身份验证 - Azure AD authentication for ASP.NET Core Web Application Azure AD 身份验证对现有 ASP.NET 核心身份应用程序 - Azure AD authentication to existing ASP.NET Core Identity application ASP.NET Core Web API + Azure AD身份验证 - ASP.NET Core Web API + Azure AD Authentication 使用Azure AD的API后端(.NET Core)中的身份验证基础 - Authentication basics in API Backend (.NET Core) using Azure AD 现有应用程序的Azure AD身份验证 - Azure AD Authentication with existing application 使用 Azure AD 和应用程序角色保护 Angular &.Net Core API - Securing Angular & .Net Core API with Azure AD and Application Roles
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM