[英]Azure AD Authentication in dotnet core 2 API and daemon application
I'm struggling to determine the best route to authenticate using Azure Active Directory for my dotnet core web API. 我正在努力确定使用Azure Active Directory为我的dotnet核心Web API进行身份验证的最佳途径。
Here is the situation: 情况如下:
What is the best solution to solve the authentication situation? 解决身份验证问题的最佳解决方案是什么? It's difficult to find clear documentation on how to actually solve this.
很难找到关于如何实际解决这个问题的明确文档。
Thank you for your advice and help! 感谢您的建议和帮助!
Your daemon app will need to use application permissions (app roles with member type = Application) to call the API. 您的守护程序应用程序需要使用应用程序权限(具有成员类型=应用程序的应用程序角色)来调用API。 You can see how to define those here: https://joonasw.net/view/defining-permissions-and-roles-in-aad .
您可以在此处查看如何定义这些内容: https : //joonasw.net/view/defining-permissions-and-roles-in-aad 。
For example, this is how one looks like in the manifest: 例如,这就是清单中的样子:
{
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"displayName": "Read all todo items",
"id": "f8d39977-e31e-460b-b92c-9bef51d14f98",
"isEnabled": true,
"description": "Allow the application to read all todo items as itself.",
"value": "Todo.Read.All"
}
]
}
Then you assign the app permission to your daemon app. 然后,将应用程序权限分配给您的守护程序应用程序。
After that it's a simple matter of authenticating with client credentials from the daemon app. 之后,使用守护程序应用程序的客户端凭据进行身份验证很简单。 With ADAL.NET for example, you would acquire a token with
ClientCredential
+ the resource URI of the API. 例如,使用ADAL.NET,您将获得具有
ClientCredential
+ API的资源URI的令牌。 You can find the URI from your API's app registration (Properties blade, App ID URI). 您可以从API的应用程序注册(属性刀片,应用程序ID URI)中找到URI。
You can then attach the resulting access token to HTTP requests and the API can find from the appid
claim who the calling app is, and from the roles
claim what app permissions they have. 然后,您可以将生成的访问令牌附加到HTTP请求,API可以从
appid
声明调用应用程序是谁,并从roles
声明他们拥有的应用程序权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.