Azure ADB2C 请求服务令牌
[英]Azure ADB2C request token for service
问题描述
Context
语境
I understand Azure AD B2C has a limitation on the oauth2 client_credentials flow, but I've seen that it is possible to request the token agains the AD instead of AD B2C.我了解 Azure AD B2C 对 oauth2 client_credentials流有限制,但我已经看到可以向 AD 请求令牌而不是 AD B2C。
For what I understand this is a change on the authority domain , so instead of using:据我了解,这是对权限域的更改,因此不要使用:
https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token
We should use:我们应该使用:
https://login.microsoftonline.com/032bba1a-4a23-41d0-8713-69ad1a38cf69/oauth2/v2.0/token
Problem问题
My problem is that if I add a scope to it, like https://graph.microsoft.com/openid/.default or other from a different application (which is the one I intend to use) https://{tenant}.onmicrosoft.com/backendtestapi/api/.default , I get this error:我的问题是,如果我向其中添加 scope,例如https://graph.microsoft.com/openid/.default或其他来自不同应用程序(这是我打算使用的应用程序) https://{tenant}.onmicrosoft.com/backendtestapi/api/.default ,我收到此错误:
AADSTS500011: The resource principal named https://graph.microsoft.com/openid was not found in the tenant named xxxxx-xxxxx-xxxxx-xxxxx. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant
I'm not understanding why there's an error If I request this scopes.如果我请求此范围,我不明白为什么会出现错误。 Can anyone enlighten me please?任何人都可以启发我吗?
Thanks a lot!非常感谢!
1 个解决方案
解决方案1
1 2021-05-18 01:33:27
Please note that Microsoft Graph is the official API whose scope has a fixed writing format https://graph.microsoft.com/.default for V2.0.请注意,Microsoft Graph 是官方的 API,其scope具有固定的写入格式https://graph.microsoft.com/.default for V2.0。
Changing https://graph.microsoft.com/openid/.default to https://graph.microsoft.com/.default can resolve this issue and you will get an access token for calling Microsoft Graph API.将https://graph.microsoft.com/openid/.default更改为https://graph.microsoft.com/.default可以解决此问题,您将获得用于调用 Microsoft Graph ZDB974238714CA83DE634A7CE1DFZ 的访问令牌
If you has your own custom Web API which requires client credentials flow, you should expose the API in your API app registration by following Exposing application permissions (app roles) . If you has your own custom Web API which requires client credentials flow, you should expose the API in your API app registration by following Exposing application permissions (app roles) . And then configure the application permission in your client app registration by following Add permissions to access your web API .然后通过以下添加权限来访问您的 web API在您的客户端应用程序注册中配置应用程序权限。
After that you could get the scope format.之后,您可以获得scope格式。 Typically it's api://{app id of the API app registration}/.default .通常是api://{app id of the API app registration}/.default 。 If you customize the Application ID URI of API app registration as https://{tenant}.onmicrosoft.com/backendtestapi/api/ , then the scope should be https://{tenant}.onmicrosoft.com/backendtestapi/api/.default . If you customize the Application ID URI of API app registration as https://{tenant}.onmicrosoft.com/backendtestapi/api/ , then the scope should be https://{tenant}.onmicrosoft.com/backendtestapi/api/.default 。
But there is an important thing you need to understand.但是有一个重要的事情你需要了解。 It's that since client credentials flow issues an application token without user, it has nothing to do with B2C authentication in this case.这是因为客户端凭据流在没有用户的情况下发出应用程序令牌,在这种情况下它与 B2C 身份验证无关。 In other words, you just 'borrow' the B2C tenant to create the app registration.换句话说,您只需“借用” B2C 租户来创建应用程序注册。 B2C is not used for identity authentication. B2C不用于身份认证。
BTW, application permission usually requires admin consent.顺便说一句,应用程序权限通常需要管理员同意。 Don't forget to click on "Grant admin consent for {your tenant}" on client app registration or use the adminconsent endpoint to do it.不要忘记在客户端应用程序注册上单击“为 {您的租户} 授予管理员许可”或使用 adminconsent 端点来执行此操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.