[英]AAD client-credentials flow request scope for web api
I got a console app that needs to support two flows, authenticating against AAD to talk to a web api:我有一个需要支持两个流程的控制台应用程序,针对 AAD 进行身份验证以与 web api 对话:
The interactive flow works perfectly, but the client-credentials flow is giving me problems with the requested scope.交互式流程完美运行,但客户端凭证流程给我请求的 scope 带来了问题。
I'm using the latest Microsoft.Identity*
nuget packages.我使用的是最新的Microsoft.Identity*
nuget 包。
When I construct the scope for the webapi like I do for the interactive flow, I get an error message telling me that for client-credentials flows I need to append ./default
.当我像为交互式流程一样为 webapi 构建 scope 时,我收到一条错误消息,告诉我对于客户端凭据流程,我需要 append ./default
。 Okay, fair enough, I also found documentation for this, so I append ./default
.好吧,很公平,我也找到了这方面的文档,所以我 append ./default
。 But when I do that, I get another error message telling me但是当我这样做时,我收到另一条错误消息告诉我
The resource principal named api:///access_as_user was not found in the tenant named.在名为的租户中找不到名为 api:///access_as_user 的资源主体。
There are two problems with this error message:此错误消息有两个问题:
api://<webApiAppId>/access_as_user
, not api://<webApiAppId>/access_as_user/.default
, despite my appending that它说api://<webApiAppId>/access_as_user
,而不是api://<webApiAppId>/access_as_user/.default
,尽管我附加了My next though was: well, maybe the problem is that the app registration used for the client-credentials flow doesn't have permissions on the web-api.我的下一个问题是:好吧,也许问题是用于客户端凭据流的应用程序注册在 web-api 上没有权限。 But it does.但确实如此。
So now I've run out of ideas.所以现在我已经没有想法了。 Hopefully, someone here can help.希望这里有人可以提供帮助。
To make everything a bit clearer, let me list the app regs involved:为了让一切更清楚一点,让我列出涉及的应用程序规则:
A. Web Api一、Web Api
api://<itsownAppId>/access_as_user
公开单个 API api://<itsownAppId>/access_as_user
B. Interactive Login B. 交互式登录
WebApi | access_as_user
API 权限:添加WebApi | access_as_user
WebApi | access_as_user
as delegated WebApi | access_as_user
作为委托C. Non-interactive login/Service Principal C. 非交互式登录/服务主体
WebApi | access_as_user
API 权限:添加WebApi | access_as_user
WebApi | access_as_user
with 2 of the app roles defined for A WebApi | access_as_user
具有为 A 定义的 2 个应用程序角色The code I use to authenticate is (for the confidential flow):我用来验证的代码是(用于机密流程):
ConfidentialClientApplicationBuilder.Create(_configuration.ApplicationId)
.WithTenantId(_configuration.Directory)
.WithLogging(Log, LogLevel.Error)
.WithClientSecret(_configuration.ClientSecret)
.Build()
.AcquireTokenForClient(_configuration.Scopes)
.ExecuteAsync();
where the values of _configuration
are:其中_configuration
的值为:
ApplicationId
: the appId from app registration C ApplicationId
: 应用注册的appId CDirectory
: the name of my AAD tenant Directory
:我的 AAD 租户的名称ClientSecret
: the secret from app registration C ClientSecret
: 应用注册的秘密 CScopes
: array of openid
, profile
and api://<appIdOfWebApiFromC>/access_as_user/.default
Scopes
: openid
数组、 profile
和api://<appIdOfWebApiFromC>/access_as_user/.default
So, it turns out that the documentation for appending ./default
is not quite clear enough:.You are not meant to append it to the scope, just to the "resource id".因此,事实证明附加./default
的文档还不够清楚:您并不是要将 append 附加到 scope,而只是附加到“资源 ID”。 And with resource id they mean the "api://" parts without the name of the permission.对于资源 ID,它们表示没有权限名称的“api://”部分。
So where you normally request api://<webApiAppId>/access_as_user
, for the client-credentials flow you have to request api://<webApiAppId>/.default
因此,在您通常请求api://<webApiAppId>/access_as_user
的地方,对于客户端凭据流,您必须请求api://<webApiAppId>/.default
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.