[英]Azure Active directory API permissions
I have got a scenario where I would like to retrieve calendar bookings/meetings from Exchange using Graph APIs.我有一个场景,我想使用 Graph API 从 Exchange 检索日历预订/会议。 These meetings should only be available in the application running on control/touch panel located in that room.这些会议只能在位于该房间的控制/触摸面板上运行的应用程序中可用。 In order to do that, I have registered an App in Azure AD and using MSAL's .NET PublicClientApplication with necessary API permission ie Calendars.Read which requires Admin consent and I am using Device code flow in the application which generates a code whenever I try to run the app.为了做到这一点,我在 Azure AD 中注册了一个应用程序,并使用 MSAL 的 .NET PublicClientApplication 和必要的 API 权限,即 Calendars.Read 需要管理员同意,我在应用程序中使用设备代码流,每当我尝试时都会生成代码运行应用程序。
I see that it's also possible to configure a ConfidentialClient which acts on behalf of application and not the user.我看到还可以配置代表应用程序而不是用户的 ConfidentialClient。 Also, this requires a pre-consent from Admin.此外,这需要管理员的预先同意。
Question :题 :
Not sure which type of authentication mechanism is best suitable in this Scenario ?不确定哪种类型的身份验证机制最适合此场景?
I think both of them could meet your requirement, for the security, I recommend you to use the option one.我认为它们都可以满足您的要求,为了安全起见,我建议您使用选项一。 Something you should note, if you are using the delegated permission Calendars.Read
with auth code flow, the user need to log in the App, then the app do operations on behalf of the user, essentially the permission comes from the user.需要注意的是,如果你使用委托权限Calendars.Read
with auth code flow,用户需要登录App,然后App代表用户进行操作,本质上权限来自用户。
If you use the application permission Calendars.Read
, it uses the client credential flow, the permission comes from the application, it means everyone in the room can use the application to retrieve calendar bookings/meetings.如果您使用应用程序权限Calendars.Read
,它使用客户端凭据流,权限来自应用程序,这意味着房间中的每个人都可以使用该应用程序检索日历预订/会议。
Is it possible to make API permissions for eg "Calendars.Read" to work for a specific account?是否可以为特定帐户设置 API 权限,例如“Calendars.Read”? Like in this case just for that room就像在这种情况下只针对那个房间
No, you could not make the API permission to work just for a specific account.不,您不能使 API 权限仅适用于特定帐户。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.