通过 Azure AD 使用客户端凭据保护 API

Question

I have an ASP.NET Core API hosted in Azure which is to be accessed by several trusted clients. I wish to offer an /auth endpoint which accepts a client_id and client_secret. Response will be an OAuth access token with expiry.

The many examples/tutorials I have found mostly relate to username/password login and full OAuth flow (B2C) which isn't what I'm looking for as the trusted clients have the secret.

I've been looking at Azure API Management which links through to Azure AD for OAuth but I'm thinking this is just complicating things right now.

In the past I have generated and validated JWT bearer tokens using the ASP.NET middleware, but I am sure I should be generating and validating tokens via Azure AD - or am I wrong here?

[expecting to get some down votes for not being explicitly code related, but really need a little bit of advice to get me past this]

Answer 1

I wish to offer an /auth endpoint which accepts a client_id and client_secret. Response will be an OAuth access token with expiry.

You can use client credential flow . Then you can use this endpoint to get access token.

POST /{tenant}/oauth2/v2.0/token HTTP/1.1           //Line breaks for clarity
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret=qWgdYAmab0YSkuL1qKv5bPX
&grant_type=client_credentials

Before doing this, you need to expose application permissions of your application api. The contents of appRoles are as below.

"appRoles": [
    {
    "allowedMemberTypes": [ "Application" ],
    "description": "Accesses the TodoListService-Cert as an application.",
    "displayName": "access_as_application",
    "id": "ccf784a6-fd0c-45f2-9c08-2f9d162a0628",
    "isEnabled": true,
    "lang": null,
    "origin": "Application",
    "value": "access_as_application"
    }
],