Azure B2C 客户端凭据授予

Azure B2C client credentials grant

我已经为用户 login/logout 实现了 Azure B2C,可以获取 id_token 并将其传递到我的网站 API 进行授权,一切正常。 现在,我有一些 Web API 方法只能由客户端 Web 应用程序 (ASP.NET 4.6) 访问,这意味着 OAuth 2.0 "client credentials grant"。我做了很多研究,我能找到的最接近的是 this quick-start,它在 B2C 应用程序中使用 ADAL 来调用 Graph API。

我按照下面的代码进行了尝试获取客户端访问令牌的地步。但是,无论我将什么作为资源传递给 AcquireToken 方法,我都会收到一个错误,指出我传递的应用程序名称在租户中不存在。 我实际上不确定我应该传递什么,因为在 B2C 世界中,您不会将 Web API 注册为应用程序,而是您的所有应用程序都有一个应用程序 ID。

是否支持以上场景,如何实现?

public async Task<string> SendGraphGetRequest(string api, string query)
{
    // First, use ADAL to acquire a token by using the app's identity (the credential)
    // The first parameter is the resource we want an access_token for; in this case, the Graph API.
    //*** In my case I want to replace the graph API URL with my own WebAPI
    AuthenticationResult result = authContext.AcquireToken("https://graph.windows.net", credential);

请参阅描述 Azure Active Directory B2C 限制的 this link。您引用的 quick-start 正在使用客户端凭据授权,Azure AD B2C 尚不支持。

Daemons / server-side applications 部分下,它显示:

"Applications that contain long-running processes or that operate without the presence of a user also need a way to access secured resources, such as Web APIs. These applications can authenticate and get tokens by using the application's identity (rather than a consumer's delegated identity) in the OAuth 2.0 client credentials flow. This flow is not yet available in Azure AD B2C, so for now, applications can get tokens only after an interactive consumer sign-in flow has occurred."

我相信此功能(oauth 客户端凭据授权类型支持)在 B2C 路线图上,当它发布时,该快速入门中的步骤应该有效。

一口井documented limitation, I have created user voice request on the feedback portal

大家可以投票,等待开发组实施。

现在可以将 OAuth2 客户端凭据授权类型用于 Azure ADB2。

Although the OAuth 2.0 client credentials grant flow is not currently directly supported by the Azure AD B2C authentication service, you can set up client credential flow using Azure AD and the Microsoft identity platform /token endpoint for an application in your Azure AD B2C tenant. An Azure AD B2C tenant shares some functionality with Azure AD enterprise tenants

这是一个卷曲请求示例:

    curl --location --request POST 'https://login.microsoftonline.com/{client-id-of-app-registered-in-b2c}/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: x-ms-gateway-slice=prod; stsservicecookie=ests; fpc=AmqL7OwikMNGgdpvjdkb0OLnguDtAQAAABl14NYOAAAAd_wwNgEAAABCeeDWDgAAAA' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_secret={secret-of-app}' \
--data-urlencode 'client_id={client-id-of-app-registered-in-b2c}' \
--data-urlencode 'scope=https://graph.microsoft.com/.default'

注意参数在正文中编码。