使用OAuth 2.0从Azure B2C AD访问用户数据
[英]Accessing user data from Azure B2C AD with OAuth 2.0
问题描述
We want to authenticate users for our web application using OAuth 2.0 via Azure B2C AD. 
我们希望通过Azure B2C AD使用OAuth 2.0对我们的Web应用程序的用户进行身份验证。 Users managed the B2C AD will come from different sources, some we create ourselves but most will sign up themselves and we want to enable other identity providers such as Github or Google, hence Azure B2C AD instead of Azure Active Directory. 管理B2C AD的用户将来自不同的来源,有些是我们自己创建的,但大多数会自己注册,并且我们希望启用其他身份提供商(例如Github或Google),因此使用Azure B2C AD代替Azure Active Directory。 We also want to put these users (including some of the self-signed-up ones) into groups. 我们还希望将这些用户(包括一些自注册用户)分组。
The basic authentication workflow (including the the signup process) works: We created an app in a B2C tenant, enabled Web API access, generated a client secret and a user flow for signing in and signing up and set up our 3rd party identity providers. 基本的身份验证工作流程(包括注册过程)起作用:我们在B2C租户中创建了一个应用程序,启用了Web API访问,生成了一个客户端机密以及一个用于登录以及注册和设置我们的第三方身份提供者的用户流。
We initiate the user authentication on https://<tenant>.b2clogin.com/tfp/<tenant>.onmicrosoft.com/<user-flow>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=<redirect-uri>&scope=<client-id>&response_type=code 我们在https://<tenant>.b2clogin.com/tfp/<tenant>.onmicrosoft.com/<user-flow>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=<redirect-uri>&scope=<client-id>&response_type=code上启动用户身份验证https://<tenant>.b2clogin.com/tfp/<tenant>.onmicrosoft.com/<user-flow>/oauth2/v2.0/authorize?client_id=<client-id>&redirect_uri=<redirect-uri>&scope=<client-id>&response_type=code
The user returns with a valid authorization code and we use that to request an access token from https://<tenant>.b2clogin.com/tfp/<tenant>.onmicrosoft.com/<user-flow>/oauth2/v2.0/token using the following POST data: 用户返回有效的授权码,我们使用该授权码从https://<tenant>.b2clogin.com/tfp/<tenant>.onmicrosoft.com/<user-flow>/oauth2/v2.0/token请求访问令牌https://<tenant>.b2clogin.com/tfp/<tenant>.onmicrosoft.com/<user-flow>/oauth2/v2.0/token使用以下POST数据:
{
"code":"<authorization-code>",
"client_id":"<client-id>",
"client_secret":"<client-secret>",
"redirect_uri":"<redirect-uri>",
"grant_type":"authorization_code"
}
We then want to use this access token to fetch the user's profile data (including username, email and group memberships) from Azure AD Graph API ( https://graph.windows.net/ /me?api-version=1.6). 然后,我们想使用此访问令牌从Azure AD Graph API( https://graph.windows.net/ /me?api-version=1.6)提取用户的配置文件数据(包括用户名,电子邮件和组成员身份)。 The docs explicitly say that B2C directories must not use the new Microsoft Graph API https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet 文档明确指出B2C目录不得使用新的Microsoft Graph API https://docs.microsoft.com/zh-CN/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
The API responds that the token is expired: API响应令牌已过期:
<?xml version="1.0" encoding="utf-8"?><error
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata"><code>Authentication_ExpiredToken</code><message
xml:lang="en">Your access token has expired. Please renew it before
submitting the request.</message></error>
But the timestamp in the token decoded by https://jwt.ms/ says otherwise: 但是https://jwt.ms/解码的令牌中的时间戳则表示:
{
"typ": "JWT",
"alg": "RS256",
"kid": "X5eXk4xyojNFum1kl2Ytv8dlNP4-c57dO6QGTVBwaNk"
}.{
"iss": "https://<tenant>.b2clogin.com/<id>/v2.0/",
"exp": 1553689573,
"nbf": 1553685973,
"aud": "<client-id>",
"idp": "github.com",
"name": "<username>",
"oid": "<oid>",
"sub": "<sub>",
"emails": [
"<email>"
],
"tfp": "B2C_1_SignupAndSignin",
"azp": "<client-id>",
"ver": "1.0",
"iat": 1553685973
}.[Signature]
However, the aud in the token is our app only, not the Azure AD Graph API. 但是,令牌中的aud仅是我们的应用程序,不是Azure AD Graph API。 That suggests that the token issued by Azure B2C AD is simply not valid for the Graph API. 这表明Azure B2C AD发出的令牌对于Graph API完全无效。
So our question is, what is the proper way to: 所以我们的问题是,什么是正确的方法:
- obtain an access token for a B2C AD User which will allow us to fetch user info 获取B2C AD用户的访问令牌,这将使我们能够获取用户信息
- read profile and group memberships for an authenticated B2C AD User 读取经过身份验证的B2C AD用户的配置文件和组成员身份
Some answers to Secure API with Azure AD/B2C users suggest creating a second app to query the Graph API. 使用Azure AD / B2C用户对Secure API的一些答案建议创建另一个应用程序以查询Graph API。 Is that the only way to achieve our goals? 那是实现我们目标的唯一途径吗?
1 个解决方案
解决方案1
0 已采纳 2019-03-27 17:14:32
I don't think you will be able to use a B2C token to access the Azure AD Graph API. 我认为您将无法使用B2C令牌访问Azure AD Graph API。
You could use a B2C token to access some resource secured with B2C, eg an Azure Function or your app. 您可以使用B2C令牌访问某些受B2C保护的资源,例如Azure功能或您的应用程序。
In this case I think you will need to use a service account to connect to Azure AD Graph API on behalf of your user. 在这种情况下,我认为您将需要使用服务帐户代表用户连接到Azure AD Graph API。 Your app, on the server side, will need to implement the neccessary role based access control - eg only fetching the current user info. 在服务器端,您的应用程序将需要实施基于角色的必要访问控制-例如,仅获取当前用户信息。 You could use the B2C token ( after it has been validated ) in your app to discover who the current user is. 您可以在应用程序中使用B2C令牌( 已通过验证 )来发现当前用户。
Azure AD B2C: Use the Azure AD Graph API Azure AD B2C:使用Azure AD Graph API
For B2C tenants, there are two primary modes of communicating with the Graph API.
- For interactive, run-once tasks, you should act as an administrator account in the B2C tenant when you perform the tasks.
- For automated, continuous tasks, you should use some type of service account that you provide with the necessary privileges to perform management tasks.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.