OAuth 2.0 授权码授权流程与客户端凭证授权流程
[英]OAuth 2.0 auth code grant flow vs client credential grant flow
问题描述
We have a 3rd party mobile app.
我们有一个 3rd 方移动应用程序。 Which during the login process creates an access token to access one of our API(.netcore) using the Authorization code grant flow.在登录过程中创建访问令牌以使用授权代码授予流程访问我们的 API(.netcore)之一。
https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code
The mobile app displays many tiles.移动应用程序显示许多图块。 After login, when the user clicks on one of the tiles, I want to call another .netcore API(using the access_token).登录后,当用户单击其中一个图块时,我想调用另一个 .netcore API(使用 access_token)。
I was planning to use client credential flow for the second API call as it does not require user interaction.我计划将客户端凭据流用于第二个 API 调用,因为它不需要用户交互。
https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow
But the API endpoint(in the code) checks the Claims to get the userID and client credential flow creates a jwt token without the user information(as there is no user interaction).但是 API 端点(在代码中)检查声明以获取用户 ID,并且客户端凭据流创建一个没有用户信息的 jwt 令牌(因为没有用户交互)。
Am I using the correct flow?我使用正确的流程吗? Is there a way to use authorization code grant flow when clicking the tile(without needing a user interaction)?单击磁贴时是否可以使用授权代码授予流程(无需用户交互)?
1 个解决方案
解决方案1
1 2019-11-05 09:35:12
You can only get the user information when use auth code flow which need a user interaction.您只能在使用需要用户交互的身份验证代码流时获取用户信息。
I noticed that you are using v1.0 endpoint, you can put the api uri in the resource parameter.我注意到您使用的是 v1.0 端点,您可以将 api uri 放在资源参数中。 Scope parameter isn't needed for v1.0 endpoint. v1.0 端点不需要 Scope 参数。 You can get the access token silently after logging in.您可以在登录后静默获取访问令牌。
Here is the code snippet for your reference.这是供您参考的代码片段。
// Because we signed-in already in the WebApp, the userObjectId is know
string userObjectID = (User.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
// Using ADAL.Net, get a bearer token to access the TodoListService
AuthenticationContext authContext = new AuthenticationContext(AzureAdOptions.Settings.Authority, new NaiveSessionCache(userObjectID, HttpContext.Session));
ClientCredential credential = new ClientCredential(AzureAdOptions.Settings.ClientId, AzureAdOptions.Settings.ClientSecret);
result = await authContext.AcquireTokenSilentAsync(AzureAdOptions.Settings.TodoListResourceId, credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));
// Retrieve the user's To Do List.
HttpClient client = new HttpClient();
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, AzureAdOptions.Settings.TodoListBaseAddress + "/api/todolist");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
HttpResponseMessage response = await client.SendAsync(request);
Reference:参考:
active-directory-dotnet-webapp-webapi-openidconnect-aspnetcore 活动目录-dotnet-webapp-webapi-openidconnect-aspnetcore
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.