[英]Windows Service connect to Azure AD as User (MFA)
I have a service which needs to run under user context, because some endpoints of Microsoft need an user context to execute. 我有一个需要在用户上下文中运行的服务,因为Microsoft的某些端点需要用户上下文才能执行。 My problem now is 01.09.2019 MFA is mandatory.
我的问题现在是01.09.2019强制性MFA。 So, at least at the beginning, the service needs a person who logs in, but this is not possible because it is an non interactive Windows Service.
因此,至少在开始时,该服务需要一个登录人员,但这是不可能的,因为它是非交互式Windows服务。 So my question is, it is possible to login as a user by code or not?
所以我的问题是,是否可以通过代码以用户身份登录? If it is, how?
如果是,怎么办? And will the refresh token be stored in the aad cache?
刷新令牌是否将存储在aad缓存中?
UserIdentifier user = new UserIdentifier(Cred.UserName,UserIdentifierType.OptionalDisplayableId);
return Task.Run(() => authContext.AcquireTokenAsync(
"https://api.partnercenter.microsoft.com",
Cred.ApplicationId,
new Uri("http://localhost"),
new PlatformParameters(PromptBehavior.Auto),
user)).Result;
You'll need to have some kind of app that authenticates the user and stores their refresh token in a secure place like an Azure Key Vault. 您需要具有某种可对用户进行身份验证并将其刷新令牌存储在安全位置(如Azure Key Vault)的应用。 Your background service can then use the refresh token to get a new access token and new refresh token.
然后,您的后台服务可以使用刷新令牌来获取新的访问令牌和新的刷新令牌。 You can use the access token to call the API and store the new refresh token over the old one.
您可以使用访问令牌来调用API,并将新的刷新令牌存储在旧的令牌上。
Then if the refresh token does not work, you'll need to repeat the authentication process. 然后,如果刷新令牌不起作用,则需要重复身份验证过程。 Refresh tokens can go invalid for some reasons, so your app needs to be ready for that.
由于某些原因,刷新令牌可能会失效,因此您的应用需要为此做好准备。
it is possible to login as a user by code or not?
是否可以通过代码以用户身份登录? yes it is possible
对的,这是可能的
In Authentication time the app receives both sign in info (the id_token) and artifacts (ex: an authorization code) that the app can use for obtaining an access token. 在身份验证期间,应用程序会接收登录信息(id_token)和构件(例如授权码),应用程序可使用该构件来获取访问令牌。 That token can be used to access other resources -
该令牌可用于访问其他资源-
This sample shows how to use MSAL to redeem the authorization code into an access token, which is saved in a cache along with any other useful artifact (such as associated refresh_tokens) so that it can be used later on in the application. 此样本说明如何使用MSAL将授权代码赎回为访问令牌,该访问令牌与其他任何有用的工件(例如关联的refresh_tokens)一起保存在缓存中,以便以后可以在应用程序中使用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.