[英]Is there an OAuth flow that doesn't require a client_id?
I have created a Microsoft Teams bot built using a Golang port of the Bot Framework.我创建了一个使用 Bot Framework 的 Golang 端口构建的 Microsoft Teams 机器人。 It is a multi tenant bot which lives in my infrastructure.它是一个存在于我的基础设施中的多租户机器人。
It is easy to add the bot as a "Teams Application" by selecting it from the marketplace (for free), however, to function correctly it needs additional Microsoft Graph permissions.通过从市场(免费)中选择它,很容易将机器人添加为“Teams 应用程序”,但是,正确地到 function 它需要额外的 Microsoft Graph 权限。 Specifically read the title of a MS Teams Channel / Group Chat.专门阅读 MS Teams 频道/群聊的标题。
This seems to be a challenge for users as almost no one - even those 'in IT' seem able to correctly add the permissions required, even with documentation.这对用户来说似乎是一个挑战,因为几乎没有人 - 即使是“IT 人员”似乎也能够正确添加所需的权限,即使有文档。
I've been helping them personally but it's not a commercial product so not viable in the long term.我个人一直在帮助他们,但它不是商业产品,因此从长远来看不可行。
I would like to find an OAuth2 flow which would allow a privileged user to authenticate with their Azure tentant and grant the necessary privileges for my application to do it's thing.我想找到一个 OAuth2 流程,它允许特权用户通过他们的Azure 租户进行身份验证,并为我的应用程序授予执行此操作所需的权限。 Or, alternatively create the client registration in advance of installing the bot.或者,也可以在安装机器人之前创建客户端注册。
Every OAuth2 flow requires me to have (or know) my client_id before making the request.每个 OAuth2 流程都要求我在发出请求之前拥有(或知道)我的 client_id。 Given it's in the users Tenant, I don't have access to it;鉴于它在用户租户中,我无权访问它; the users can authenticate against their Azure AD tenant though, so they must receive a bearer token which would allow them access to create or update permissions on an Azure Application.不过,用户可以针对其 Azure AD 租户进行身份验证,因此他们必须收到一个不记名令牌,该令牌允许他们访问以创建或更新 Azure 应用程序的权限。
There is chance to use the OAuth 2.0 client credentials.有机会使用 OAuth 2.0 客户端凭据。 This grant is specified in RFC 6749. This grant is to access the web hosted resources.此授权在 RFC 6749 中指定。此授权用于访问 web 托管资源。 This resource will directly identify the application based on the identity of the application.该资源将根据应用程序的身份直接识别应用程序。 In server-to-server communication we can use OAuth 2.0.在服务器到服务器的通信中,我们可以使用 OAuth 2.0。 This can be referred as "Service accounts" or "Daemons".这可以称为“服务帐户”或“守护进程”。
Microsoft identity platform and the OAuth 2.0 client credentials flow Microsoft 标识平台和 OAuth 2.0 客户端凭据流
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.