[英]Azure AD B2C Authorization support based on Scope/Role
We want to achieve an authorization at our APIs.我们希望在我们的 API 上获得授权。
Ex.前任。 We have API-A and API-B and both are exposed to our different consumers.
我们有 API-A 和 API-B,它们都暴露给我们不同的消费者。
We have setup of scope based authorization in place with IdentityServer4 where we decorate endpoints with different policies.我们使用 IdentityServer4 设置了基于范围的授权,我们用不同的策略装饰端点。 With IdentityServer4 we are able to achieve this as IdentityServer4 token has scopes claims present in all the grant types but with Azure AD, we found we can't have scope claim in token generated with Client Credential flow.
使用 IdentityServer4,我们能够实现这一点,因为 IdentityServer4 令牌在所有授权类型中都存在范围声明,但是使用 Azure AD,我们发现我们不能在使用客户端凭据流生成的令牌中具有范围声明。
In our case, Web API B is also exposed to consumers and again they have scope based authorization.在我们的例子中,Web API B 也暴露给消费者,他们同样拥有基于范围的授权。 To call, Web API B from Web API A we use client credential flow and it will not have scopes claim in token so we are not able to authorize our call to Web API B.
要从 Web API A 调用 Web API B,我们使用客户端凭据流,它不会在令牌中声明范围,因此我们无法授权对 Web API B 的调用。
How to achieve scope based authorization with Azure AD in microservices architecture where we call other context APIs from one context.如何在我们从一个上下文调用其他上下文 API 的微服务架构中使用 Azure AD 实现基于范围的授权。
you get roles
and not scope ie;you get roles
而不是范围,即; scp claim in the token. See azure-ad-scope-based-authorization请参阅azure-ad-scope-based-authorization
So , If you want delegated permissions then you will have to use implicit grant flow instead of client credentials.因此,如果您想要委派权限,那么您将不得不使用隐式授权流程而不是客户端凭据。
As scopes in expose an api page are for Authorization Code Grant flows and where the user is involved, in this case (client credential) its not possible, we have to add our own scopes that is availible for applications to use which are indirectly called roles that we need to add in the manifest itself under approles in the app registration or through the app roles blade.由于公开 api 页面中的范围用于授权代码授予流程并且涉及用户,因此在这种情况下(客户端凭据)这是不可能的,我们必须添加我们自己的范围可供应用程序使用,这些范围被间接称为角色我们需要在应用程序注册中的 approles 下或通过应用程序角色刀片添加清单本身。
ex:前任:
{
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"displayName": "Read all todo items",
"id": "f8dxxxxxxxxxxxxf98",
"isEnabled": true,
"description": "Allow the application to read all todo items as itself.",
"value": "Todo.Read.All"
}
]
}
After that , those has to be granted admin consent.之后,必须授予管理员同意。
So now when requesting a token with a default scope of api://<app id>/.default
the "scopes" are returned in the roles claim.所以现在当请求一个默认范围为
api://<app id>/.default
的令牌时,“范围”会在角色声明中返回。
So we can use role claim for authorization purpose.所以我们可以使用角色声明来进行授权。
Also as a work around也作为一种解决方法
Try to make sure to add additional scope like profile
, offline_access
open_id
.尝试确保添加额外的范围,例如
profile
、 offline_access
open_id
。 And give response_type=token
instead of id_token并给出
response_type=token
而不是 id_token
Example request:示例请求:
......&redirect_uri=https://jwt.io&scope=openid profile offline_access&response_type=token&prompt=login
References:参考:
EDIT:编辑:
https://tenant.b2clogin.com/tenant.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_TenantSignUpIn&client_id=<appid>&nonce=defaultNonce&redirect_uri=https://jwt.ms&scope=openid offline profile https://tenant.onmicrosoft.com/b2capi/write https://tenant.onmicrosoft.com/b2capi/read https://tenant.onmicrosoft.com/b2capi/user_impersonation&response_type=id_token&prompt=login
.https://tenant.b2clogin.com/tenant.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_TenantSignUpIn&client_id=<appid>&nonce=defaultNonce&redirect_uri=https://jwt.ms&scope=openid offline profile https://tenant.onmicrosoft.com/b2capi/write https://tenant.onmicrosoft.com/b2capi/read https://tenant.onmicrosoft.com/b2capi/user_impersonation&response_type=id_token&prompt=login
。Please note that scopes are present as roles depending on the flow type.
请注意,范围作为角色存在,具体取决于流类型。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.