简体繁体 English

使用两个azure AD应用程序注册移动和Web

[英]Using two azure AD app registrations for mobile and web

原文 2019-03-14 04:39:40 4 3 spring/ azure/ azure-active-directory/ adal4j

I have a mobile app which gets token directly from azure login. 我有一个移动应用程序，直接从azure登录获取令牌。 And I have a service which is using adal4j in spring boot. 我有一个在春季启动时使用adal4j的服务。 I cannot use the mobile generated token to authenticate spring service. 我无法使用移动生成的令牌来验证spring服务。 Becase I use two different azure app registrations for mobile and web service. 因为我使用两种不同的azure应用程序注册移动和Web服务。 Is there a way to accomplish this ? 有没有办法实现这个目标？

3 个解决方案

Yes, the OAuth 2.0 on-behalf-of flow should applies to your scenario. 是的， OAuth 2.0代表流应该适用于您的方案。 These steps constitute the On-Behalf-Of flow. 这些步骤构成了On-Behalf-Of流程。

My understanding is that you have created 2 Enterprise Applications in Azure. 我的理解是您在Azure中创建了2个企业应用程序。 1) An Enterprise Application for your mobile app (Type: Native) 2) An Enterprise Application for your Web API app (Type: WebAPI) 1）移动应用程序的企业应用程序（类型：本机）2）Web API应用程序的企业应用程序（类型：WebAPI）

For native app, you will not need a client secret but you will need a client secret for the Web API app. 对于本机应用程序，您不需要客户端密钥，但您需要Web API应用程序的客户端密钥。

Now coming to the key configurations: In both of these, please update the manifest file to have oauth2AllowImplicitFlow set to true Also, in your Web API Enterprise Application, please have the app id of your native app in the known client apps "knownClientApplications": [" 现在进入关键配置：在这两个配置中，请更新清单文件以将oauth2AllowImplicitFlow设置为true此外，在您的Web API企业应用程序中，请在已知客户端应用程序“knownClientApplications”中拥有您的本机应用程序的应用程序ID： [”

Now, when calling your Web API through an end-point from the Native application, pass your token in your request header as "Authorization": "Bearer " 现在，当通过Native应用程序的端点调用Web API时，将请求标头中的令牌作为“授权”传递：“Bearer”

Also note: if you need to retrieve group claims, please update the manifest in both your enterprise apps to have the following setting for this property "groupMembershipClaims": "SecurityGroup" 另请注意：如果您需要检索组声明，请更新两个企业应用中的清单，以便为此属性“groupMembershipClaims”设置以下设置：“SecurityGroup”

Update: Under permissions in the native app, please add the Web API app registration to allow access 更新：在本机应用程序的权限下，请添加Web API应用程序注册以允许访问

Azure AD issues a token for certain resource (which is mapped to an Azure AD app). Azure AD为特定资源（映射到Azure AD应用程序）发出令牌。 When we call AcquireToken(), we need to provide a resourceID, only ONE resourceID. 当我们调用AcquireToken（）时，我们需要提供一个resourceID，只需要一个resourceID。 The result would have a token that can only be used for the supplied resource (id). 结果将具有只能用于提供的资源（id）的令牌。 There are ways where you could use the same token , but it is not recommended as it complicates operations logging, authentication process tracing, etc. Therefore it is better to look at the other options provided by Azure and the ADAL library. 有些方法可以使用相同的令牌，但不建议这样做，因为它会使操作日志记录，身份验证过程跟踪等变得复杂。因此，最好查看Azure和ADAL库提供的其他选项。 The ADAL library supports acquiring multiple access-Tokens for multiple resources using a refresh token. ADAL库支持使用刷新令牌为多个资源获取多个访问令牌。 This means once a user is authenticated, the ADAL's authentication context, would be able to generate an access-token to multiple resources without authenticating the user again. 这意味着一旦用户通过身份验证，ADAL的身份验证上下文就能够为多个资源生成访问令牌，而无需再次对用户进行身份验证。