使用 Azure AD B2C 作为服务进行身份验证
Authenticating as a Service with Azure AD B2C
我们已经使用 Azure AD B2C 和 OAuth 设置了我们的应用程序,这工作正常,但是我正在尝试作为服务进行身份验证,以便进行服务到服务调用。我对此有点陌生,但我已经学习了一些关于如何在 "normal" Azure Active Directory 上执行此操作的 Pluralsight 课程,我可以让它工作,但遵循与 B2C 相同的原则是行不通的。
我有这个快速控制台应用程序:
class Program
{
private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"]; //APIClient ApplicationId
private static string appKey = ConfigurationManager.AppSettings["ida:appKey"]; //APIClient Secret
private static string aadInstance = ConfigurationManager.AppSettings["ida:aadInstance"]; //https://login.microsoftonline.com/{0}
private static string tenant = ConfigurationManager.AppSettings["ida:tenant"]; //B2C Tenant
private static string serviceResourceId = ConfigurationManager.AppSettings["ida:serviceResourceID"]; //APP Id URI For API
private static string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
private static AuthenticationContext authContext = new AuthenticationContext(authority);
private static ClientCredential clientCredential = new ClientCredential(clientId, appKey);
static void Main(string[] args)
{
AuthenticationResult result = authContext.AcquireToken(serviceResourceId, clientCredential);
Console.WriteLine("Authenticated succesfully.. making HTTPS call..");
string serviceBaseAddress = "https://localhost:44300/";
HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
HttpResponseMessage response = httpClient.GetAsync(serviceBaseAddress + "api/location?cityName=dc").Result;
if (response.IsSuccessStatusCode)
{
string r = response.Content.ReadAsStringAsync().Result;
Console.WriteLine(r);
}
}
}
服务是这样保护的:
private void ConfigureAuth(IAppBuilder app)
{
var azureADBearerAuthOptions = new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters()
{
ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
}
};
app.UseWindowsAzureActiveDirectoryBearerAuthentication(azureADBearerAuthOptions);
}
在我的 B2C 租户中,我有两个不同的应用程序,它们的设置大致如下:
这两个应用程序都设置了来自 "keys" 选项的秘密。生成的密钥的结构与使用 Azure Active Directory 时略有不同。
我可以成功获取令牌,但在尝试连接到其他服务时收到 401。与 Azure Active Directory 相比,使用 B2C 时我是否必须在授权方面做一些不同的事情?
Azure Active Directory B2C 可以颁发访问令牌以供 Web 或本机应用程序访问 API 应用程序,如果:
- 这两个应用程序都注册了 B2C;和
- 访问令牌是交互式用户流(即授权代码或隐式流)的结果。
目前,您的特定场景——您需要颁发访问令牌以供守护程序或服务器应用程序访问 API 应用程序(即客户端凭据流)——不是支持,但是您可以通过 B2C 租户的“应用程序注册”边栏选项卡注册这两个应用程序。
您可以通过 B2C 投票支持客户端凭据流:
如果 API 应用程序要从 web/native 应用程序和 daemon/server 应用程序接收令牌,那么您将必须配置 API 应用程序验证来自两个令牌颁发者的令牌:一个是 B2C,另一个是 B2C 租户中的 Azure AD 目录。
我从 Microsoft 找到了以下非常清晰的文章,其中解释了如何设置 "service account"/应用程序 对 B2C 租户 具有管理访问权限。对我来说,这就是我想要 "Authenticating as a Service with Azure AD B2C".
的用例
可能拥有对 B2C 租户的管理权限 不允许您访问您的 B2C 租户是授权服务器的受保护资源(我没试过),所以OP的用例可能略有不同,但感觉非常接近。
For automated, continuous tasks, you should use some type of service account that you provide with the necessary privileges to perform management tasks. In Azure AD, you can do this by registering an application and authenticating to Azure AD. This is done by using an Application ID that uses the OAuth 2.0 client credentials grant. In this case, the application acts as itself, not as a user, to call the Graph API.
In this article, we'll discuss how to perform the automated-use case. To demonstrate, we'll build a .NET 4.5 B2CGraphClient that performs user create, read, update, and delete (CRUD) operations. The client will have a Windows command-line interface (CLI) that allows you to invoke various methods. However, the code is written to behave in a noninteractive, automated fashion.
我们已经使用 Azure AD B2C 和 OAuth 设置了我们的应用程序,这工作正常,但是我正在尝试作为服务进行身份验证,以便进行服务到服务调用。我对此有点陌生,但我已经学习了一些关于如何在 "normal" Azure Active Directory 上执行此操作的 Pluralsight 课程,我可以让它工作,但遵循与 B2C 相同的原则是行不通的。
我有这个快速控制台应用程序:
class Program
{
private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"]; //APIClient ApplicationId
private static string appKey = ConfigurationManager.AppSettings["ida:appKey"]; //APIClient Secret
private static string aadInstance = ConfigurationManager.AppSettings["ida:aadInstance"]; //https://login.microsoftonline.com/{0}
private static string tenant = ConfigurationManager.AppSettings["ida:tenant"]; //B2C Tenant
private static string serviceResourceId = ConfigurationManager.AppSettings["ida:serviceResourceID"]; //APP Id URI For API
private static string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
private static AuthenticationContext authContext = new AuthenticationContext(authority);
private static ClientCredential clientCredential = new ClientCredential(clientId, appKey);
static void Main(string[] args)
{
AuthenticationResult result = authContext.AcquireToken(serviceResourceId, clientCredential);
Console.WriteLine("Authenticated succesfully.. making HTTPS call..");
string serviceBaseAddress = "https://localhost:44300/";
HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
HttpResponseMessage response = httpClient.GetAsync(serviceBaseAddress + "api/location?cityName=dc").Result;
if (response.IsSuccessStatusCode)
{
string r = response.Content.ReadAsStringAsync().Result;
Console.WriteLine(r);
}
}
}
服务是这样保护的:
private void ConfigureAuth(IAppBuilder app)
{
var azureADBearerAuthOptions = new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters()
{
ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
}
};
app.UseWindowsAzureActiveDirectoryBearerAuthentication(azureADBearerAuthOptions);
}
在我的 B2C 租户中,我有两个不同的应用程序,它们的设置大致如下:
我可以成功获取令牌,但在尝试连接到其他服务时收到 401。与 Azure Active Directory 相比,使用 B2C 时我是否必须在授权方面做一些不同的事情?
Azure Active Directory B2C 可以颁发访问令牌以供 Web 或本机应用程序访问 API 应用程序,如果:
- 这两个应用程序都注册了 B2C;和
- 访问令牌是交互式用户流(即授权代码或隐式流)的结果。
目前,您的特定场景——您需要颁发访问令牌以供守护程序或服务器应用程序访问 API 应用程序(即客户端凭据流)——不是支持,但是您可以通过 B2C 租户的“应用程序注册”边栏选项卡注册这两个应用程序。
您可以通过 B2C 投票支持客户端凭据流:
如果 API 应用程序要从 web/native 应用程序和 daemon/server 应用程序接收令牌,那么您将必须配置 API 应用程序验证来自两个令牌颁发者的令牌:一个是 B2C,另一个是 B2C 租户中的 Azure AD 目录。
我从 Microsoft 找到了以下非常清晰的文章,其中解释了如何设置 "service account"/应用程序 对 B2C 租户 具有管理访问权限。对我来说,这就是我想要 "Authenticating as a Service with Azure AD B2C".
的用例可能拥有对 B2C 租户的管理权限 不允许您访问您的 B2C 租户是授权服务器的受保护资源(我没试过),所以OP的用例可能略有不同,但感觉非常接近。
For automated, continuous tasks, you should use some type of service account that you provide with the necessary privileges to perform management tasks. In Azure AD, you can do this by registering an application and authenticating to Azure AD. This is done by using an Application ID that uses the OAuth 2.0 client credentials grant. In this case, the application acts as itself, not as a user, to call the Graph API. In this article, we'll discuss how to perform the automated-use case. To demonstrate, we'll build a .NET 4.5 B2CGraphClient that performs user create, read, update, and delete (CRUD) operations. The client will have a Windows command-line interface (CLI) that allows you to invoke various methods. However, the code is written to behave in a noninteractive, automated fashion.