服务器上用于 Graph API 的 ADAL 令牌
ADAL Token used on server for Graph API
我正在开发一个使用 Azure AD 进行身份验证的 Angular2+ 应用程序。我需要将令牌传递到我的 Web API 层(使用 HttpInterceptor 成功运行),然后在服务器端使用该令牌调用 Microsoft Graph。
如何最好在服务器上将一个令牌转换为另一个?
正是 On-Behalf-Of 流程的场景。
这是我在上面写的博客文章:https://joonasw.net/view/azure-ad-on-behalf-of-aspnet-core。
That is a fairly long sentence, so let's look at an example scenario where this is used:
- A JavaScript Single Page Application authenticates the user with Azure AD
- The SPA gets an access token for its back-end API and calls the API
- The API then needs to get information about the user's manager from Microsoft Graph API
In this scenario, there are basically two options:
- Use the on-behalf-of grant to acquire an access token that allows the API to call MS Graph as the user
- Use client credentials grant to make the call as the API, with no user context
The first option uses delegated permissions, which mean the data that can be returned is based on what the API and user are allowed to access. It does require the call made to this API was made with a user context.
The second option would instead use application permissions, in which case the app itself would need to have access to this information for any user in the organisation.
You can probably understand why using delegated permissions is usually preferred. It follows the principle of least privilege.
You can find the sample app used in this article at https://github.com/juunas11/azure-ad-on-behalf-of-sample-aspnetcore.
因此,您基本上可以交换从 SPA 获得的令牌以及 API 的凭据,从而为另一个 API 获取新的访问令牌。这个新令牌也将在用户上下文中,并将使用委托权限。
这是一个进行令牌交换的 HTTP 请求示例:
POST https://login.microsoftonline.com/joonasapps.onmicrosoft.com/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: login.microsoftonline.com
Content-Length: 1650
Expect: 100-continue
Connection: Keep-Alive
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&client_id=f3c39179-62f7-45fc-a469-a64fdfce4f91&client_secret=REDACTED&resource=https%3A%2F%2Fgraph.microsoft.com&assertion=eyJ0eLongAccessTokenForThisApi&requested_token_use=on_behalf_of
您可以在此处找到更多信息:https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-on-behalf-of
我正在开发一个使用 Azure AD 进行身份验证的 Angular2+ 应用程序。我需要将令牌传递到我的 Web API 层(使用 HttpInterceptor 成功运行),然后在服务器端使用该令牌调用 Microsoft Graph。
如何最好在服务器上将一个令牌转换为另一个?
正是 On-Behalf-Of 流程的场景。
这是我在上面写的博客文章:https://joonasw.net/view/azure-ad-on-behalf-of-aspnet-core。
That is a fairly long sentence, so let's look at an example scenario where this is used:
- A JavaScript Single Page Application authenticates the user with Azure AD
- The SPA gets an access token for its back-end API and calls the API
- The API then needs to get information about the user's manager from Microsoft Graph API
In this scenario, there are basically two options:
- Use the on-behalf-of grant to acquire an access token that allows the API to call MS Graph as the user
- Use client credentials grant to make the call as the API, with no user context
The first option uses delegated permissions, which mean the data that can be returned is based on what the API and user are allowed to access. It does require the call made to this API was made with a user context.
The second option would instead use application permissions, in which case the app itself would need to have access to this information for any user in the organisation.
You can probably understand why using delegated permissions is usually preferred. It follows the principle of least privilege.
You can find the sample app used in this article at https://github.com/juunas11/azure-ad-on-behalf-of-sample-aspnetcore.
因此,您基本上可以交换从 SPA 获得的令牌以及 API 的凭据,从而为另一个 API 获取新的访问令牌。这个新令牌也将在用户上下文中,并将使用委托权限。
这是一个进行令牌交换的 HTTP 请求示例:
POST https://login.microsoftonline.com/joonasapps.onmicrosoft.com/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: login.microsoftonline.com
Content-Length: 1650
Expect: 100-continue
Connection: Keep-Alive
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&client_id=f3c39179-62f7-45fc-a469-a64fdfce4f91&client_secret=REDACTED&resource=https%3A%2F%2Fgraph.microsoft.com&assertion=eyJ0eLongAccessTokenForThisApi&requested_token_use=on_behalf_of
您可以在此处找到更多信息:https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-on-behalf-of