[英]Make OAuth 2 Authorization Code Grant/Flow without user intervention
Trying to access an API resource that requires the Grant Type Authorization code.尝试访问需要授予类型授权代码的 API 资源。 I can get back a valid Access Code using Postman and it's Authorization tool.我可以使用 Postman 及其授权工具取回有效的访问代码。
This involves Postman popping up a login window where I enter the username and password.这涉及 Postman 弹出一个登录窗口,我在其中输入用户名和密码。
How can I accomplish this purely problematically without user intervention?如何在没有用户干预的情况下完全有问题地完成这项工作? This Grant Type seems to be the only one that works with this API as when I just try and use the client_id and client_secret with the Client Credentials flow the Access Token I get back does not allow me into the API (401).这种授予类型似乎是唯一一种与此 API 配合使用的类型,因为当我尝试将 client_id 和 client_secret 与客户端凭据流一起使用时,我取回的访问令牌不允许我进入 API (401)。
I am looking to do this as code agnostic as possible.我希望尽可能做到与代码无关。 That is I would like to be able to do it without relying a library that does things behind the scenes.那就是我希望能够在不依赖在幕后做事的库的情况下做到这一点。 Ideally everything would be done via HTTP like with cURL.理想情况下,一切都将通过 HTTP 完成,就像使用 cURL。
I have some C# code that does what I am looking for but it makes use of the Microsoft.IdentityModel.Clients.ActiveDirectory
library ( older version 2.29.0.1078
).我有一些 C# 代码older version 2.29.0.1078
我的要求,但它使用了Microsoft.IdentityModel.Clients.ActiveDirectory
库( older version 2.29.0.1078
)。 It seems to be able to get a token by passing in the username and password好像可以通过传入用户名和密码来获取token
string userName = "johndoe";
string password = "mydoghasfleas";
string clientId = "7934579357js487dhj444";
clientBaseUrl = "https://mycompanyname.dynamics.com";
apiEndpointUrl = clientBaseUrl + "/data/resource=XYZ";
UserCredential credential = new UserCredential(userName, password);
AuthenticationContext authContext = new AuthenticationContext(apiEndpointUrl, false);
AuthenticationResult authResult = await authContext.AcquireTokenAsync(clientBaseUrl, clientID, credential);
What I am trying to figure out is how to do it without depending on the Microsoft.IdentityModel.Clients.ActiveDirectory
library.我想弄清楚的是如何在不依赖Microsoft.IdentityModel.Clients.ActiveDirectory
库的情况下做到这一点。
If it was one of your APIs, the correct approach would be to add support for client credentials auth and app permissions in the API.如果它是您的 API 之一,则正确的方法是在 API 中添加对客户端凭据身份验证和应用程序权限的支持。 Seeing that it's probably Dynamics, that's probably not possible for you.看到它可能是 Dynamics,这对您来说可能是不可能的。 In that case, you can use authorization code flow to get initial tokens for a user, and then you can use the refresh token to get a new token when needed.在这种情况下,您可以使用授权代码流为用户获取初始令牌,然后您可以在需要时使用刷新令牌获取新令牌。 In the final case, you can use Resource Owner Password Credentials flow to get tokens.在最后一种情况下,您可以使用 Resource Owner Password Credentials 流来获取令牌。 But beware, this flow does not support MFA etc.但请注意,此流程不支持 MFA 等。
Hackish: you can do UI parsing and then just mimic standard user login procedure Hackish:你可以做 UI 解析,然后模仿标准的用户登录过程
Proper approach will be to use better flow, which is allowed by used IdP, eg Direct Grant Flow (Resource Owner Password Credentials Grant flow)`.正确的方法是使用更好的流程,这是使用的 IdP 允许的,例如直接授予流程(资源所有者密码凭据授予流程)`。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.