堆栈内存溢出
  简体   繁体   English

Windows服务以用户(MFA)身份连接到Azure AD

[英]Windows Service connect to Azure AD as User (MFA)

 原文  2019-09-16 14:56:44       c#/ azure/ adal

问题描述

I have a service which needs to run under user context, because some endpoints of Microsoft need an user context to execute. 我有一个需要在用户上下文中运行的服务,因为Microsoft的某些端点需要用户上下文才能执行。 My problem now is 01.09.2019 MFA is mandatory. 我的问题现在是01.09.2019强制性MFA。 So, at least at the beginning, the service needs a person who logs in, but this is not possible because it is an non interactive Windows Service. 因此,至少在开始时,该服务需要一个登录人员,但这是不可能的,因为它是非交互式Windows服务。 So my question is, it is possible to login as a user by code or not? 所以我的问题是,是否可以通过代码以用户身份登录? If it is, how? 如果是,怎么办? And will the refresh token be stored in the aad cache? 刷新令牌是否将存储在aad缓存中? 

UserIdentifier user = new UserIdentifier(Cred.UserName,UserIdentifierType.OptionalDisplayableId);



        return Task.Run(() => authContext.AcquireTokenAsync(
            "https://api.partnercenter.microsoft.com",
            Cred.ApplicationId,
            new Uri("http://localhost"),
            new PlatformParameters(PromptBehavior.Auto),
            user)).Result;

2 个解决方案

解决方案1
 2 已采纳  2019-09-16 15:14:28

You'll need to have some kind of app that authenticates the user and stores their refresh token in a secure place like an Azure Key Vault. 您需要具有某种可对用户进行身份验证并将其刷新令牌存储在安全位置(如Azure Key Vault)的应用。 Your background service can then use the refresh token to get a new access token and new refresh token. 然后,您的后台服务可以使用刷新令牌来获取新的访问令牌和新的刷新令牌。 You can use the access token to call the API and store the new refresh token over the old one. 您可以使用访问令牌来调用API,并将新的刷新令牌存储在旧的令牌上。

Then if the refresh token does not work, you'll need to repeat the authentication process. 然后,如果刷新令牌不起作用,则需要重复身份验证过程。 Refresh tokens can go invalid for some reasons, so your app needs to be ready for that. 由于某些原因,刷新令牌可能会失效,因此您的应用需要为此做好准备。

解决方案2
 0  2019-09-16 16:21:34

it is possible to login as a user by code or not? 是否可以通过代码以用户身份登录? yes it is possible 对的,这是可能的

In Authentication time the app receives both sign in info (the id_token) and artifacts (ex: an authorization code) that the app can use for obtaining an access token. 在身份验证期间,应用程序会接收登录信息(id_token)和构件(例如授权码),应用程序可使用该构件来获取访问令牌。 That token can be used to access other resources - 该令牌可用于访问其他资源-

This sample shows how to use MSAL to redeem the authorization code into an access token, which is saved in a cache along with any other useful artifact (such as associated refresh_tokens) so that it can be used later on in the application. 样本说明如何使用MSAL将授权代码赎回为访问令牌,该访问令牌与其他任何有用的工件(例如关联的refresh_tokens)一起保存在缓存中,以便以后可以在应用程序中使用。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 有没有办法通过控制台应用程序C#连接启用了Azure AD MFA的Outlook邮箱? - Is there a way to connect Azure AD MFA enabled outlook mailbox through a console application C#? Windows窗体或WPF桌面应用程序通过MFA登录到Azure AD以访问Web API - Windows Forms or WPF Desktop App logging in to azure AD with MFA to access web api 不幸的是,我有一个连接到交换 Web 服务的 azure 函数,使用的服务帐户启用了 MFA - I have an azure functions that connect to exchange web service unfortunately the service account used has MFA enabled 使用Azure App Service中的Powershell命令连接到Azure AD - Connect to Azure AD using Powershell commands from Azure App Service 使用 AAD/MFA 凭证连接到多个 Azure DB - Connect to Multiple Azure DBs with AAD/MFA Credentials OpenIDConnect连接到Azure AD - OpenIDConnect to Connect to Azure AD 使用OpenId Connect与Azure AD然后模拟现有的身份用户 - Using OpenId Connect with Azure AD then impersonate an existing Identity User Azure AD-HTTP / 1.1 401未经授权-Windows Service - Azure AD - HTTP/1.1 401 Unauthorized - Windows Service 获取分配给 Windows 计算机上登录用户的 Azure AD 组 - Get Azure AD groups assigned to login user on windows machine Azure AD 用户管理器 - User manager with Azure AD
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM