![](/img/trans.png)
[英]Consuming Id_token from Azure using UseWindowsAzureActiveDirectoryBearerAuthentication
[英]Login to my API using an Azure AD JWT (id_token)
My client side application is using Azure ad for authentication, but to authorize the user (check if the user is allowed to use my application) I need to go through my REST API. Is it ok, security wise to create an endpoint in my REST API where I can post a JWT and validate it, and then give back an access_token that is used for further calls to the API? 我是客户端应用程序和 rest api 的开发人员,但只有客户端应用程序在 Azure AD 中注册
这看起来好吗? 或者有更好的方法吗?
据我了解REST API
就是一个identity provider
(IDP) 和authorization provider
(AuthZ 提供者):它验证用户、颁发令牌和托管 api 受这些令牌保护。
I would say that you want to consume REST API
using access_tokens
issued by REST API AuthZ provider
and by AzureAD AuthZ provider
. 你可以像这样实现它:
AzureAD
中同时注册REST API
和MyApplication
REST API
在AzureAD
中注册的应用程序中(范围应与REST API
本身相同)MyApplication
中配置AzureAD
中间件以询问id_token
和authorization code
(阅读https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent ,尤其是有关offline_access
的部分,这个示例https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/2-WebApp-graph-user/2-2-TokenCache和我的简化示例https: //github.com/MaximTkachenko/microservices-communication/blob/master/src/Portal/Startup.cs )authorization code
,您可以在用户登录MyApplication
时从AzureAD
获取access_token
和refresh_token
(更多关于authorization code
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2 -oauth2-auth-代码流)REST API
for both types of tokens ( REST API AuthZ provider
and AzureAD AuthZ provider
, like this Use multiple JWT Bearer Authentication )access_tokens
来使用REST API
。In your case, you could use the On-Behalf-Of flow, register the client app, middle-tier web API and downstream web API in Azure AD.
假设用户已使用OAuth 2.0 授权代码授予流程或其他登录流程在应用程序上进行了身份验证。 此时,应用程序具有 API A(令牌 A)的访问令牌,用户声明并同意访问中间层 web API (API A)。 现在,API A 需要向下游 web API (API B) 发出经过身份验证的请求。
有关更多详细信息,请参阅 - Microsoft 标识平台和 OAuth 2.0 代表流程。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.