如何使用我在 Azure Active Directory 中创建的应用程序注册本地创建的应用程序?

How do I register my application locally created with one I created in Azure Active Directory?

我按照此处的说明学习 AzureKeyVault 配置设置

Key Vault Configuration Provider sample application (ASP.NET Core 2.x)

This sample illustrates the use of the Azure Key Vault Configuration Provider for ASP.NET Core 2.x. For the ASP.NET Core 1.x sample, see Key Vault Configuration Provider sample application (ASP.NET Core 1.x).

For more information on how the sample works, see the Azure Key Vault configuration provider topic.

Using the sample

  1. Create a key vault and set up Azure Active Directory (Azure AD) for the application following the guidance in Get started with Azure Key Vault.

    • Add secrets to the key vault using the AzureRM Key Vault PowerShell Module available from the PowerShell Gallery, the Azure Key Vault REST API, or the Azure Portal. Secrets are created as either Manual or Certificate secrets. Certificate secrets are certificates for use by apps and services but are not supported by the configuration provider. You should use the Manual option to create name-value pair secrets for use with the configuration provider.
      • Simple secrets are created as name-value pairs. Azure Key Vault secret names are limited to alphanumeric characters and dashes.
      • Hierarchical values (configuration sections) use -- (two dashes) as a separator in the sample. Colons, which are normally used to delimit a section from a subkey in ASP.NET Core configuration, aren't allowed in secret names. Therefore, two dashes are used and swapped for a colon when the secrets are loaded into the app's configuration.
      • Create two Manual secrets with the following name-value pairs. The first secret is a simple name and value, and the second secret creates a secret value with a section and subkey in the secret name:
        • SecretName: secret_value_1
        • Section--SecretName: secret_value_2
    • Register the sample app with Azure Active Directory.
    • Authorize the app to access the key vault. When you use the Set-AzureRmKeyVaultAccessPolicy PowerShell cmdlet to authorize the app to access the key vault, provide List and Get access to secrets with -PermissionsToSecrets list,get.

  2. Update the app's appsettings.json file with the values of Vault, ClientId, and ClientSecret.

  3. Run the sample app, which obtains its configuration values from IConfigurationRoot with the same name as the secret name. * Non-hierarchical values: The value for SecretName is obtained with config["SecretName"]. * Hierarchical values (sections): Use : (colon) notation or the GetSection extension method. Use either of these approaches to obtain the configuration value:
    • config["Section:SecretName"]
    • config.GetSection("Section")["SecretName"]

好的,我已将我的应用程序名称作为 'Enterprise Application' 复制到 Azure Active Directory 中。我在 Azure 中为我刚刚创建的 ADD 对象添加了 'Access policies' for 'get' 和 'list'。然而,当我尝试启动应用程序时,我在程序中遇到了这个错误:

Exception: {"error":"unauthorized_client","error_description":"AADSTS70001: 
Application with identifier '(guid)' was not found in the directory ...(continues)

更新 8-4-18 好的,我发现 Azure 在本地 appsettings.json 中使用 'ClientId' 和 'ClientSecret' 连接到本教程中 Azure 注册的内容:https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal#log-in-as-the-application

  1. 我从 ADD 上的 applicationId 中获取 appsettings.json 中的 clientId 我使用 ADD>App Registrations>New
    2. 创建
  2. 我在我刚创建的应用程序上单击“添加”中的设置,并创建一个过期密钥以作为 ClientSecret 存储在 appsettings.json 中。
  3. 我将应用程序设置中的 'Vault' 更改为我命名的保管库。
  4. 我 运行 上面的 powershell 提供访问权限,或者在 ADD 中执行。

所以现在我得到一个更简单的错误:

'Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: 'Access denied''

我已尝试 运行在 Visual Studio 中以管理员身份登录。我在 Azure > 访问控制 > (IAM) > 将我的新应用程序设置为 Reader 中进行订阅。

所以你的 powershell 失败的原因是因为你试图分配一个 User Principal - 一个用户 - 而实际上你想要一个 Service Principal.

除了说当您使用 SDK 以服务主体身份登录时,您使用 Application/Service 主体的应用程序 ID(其相同的 ID)之外,我看不到您的 C# 支持更多。

服务主体就像本地目录中的用户一样,但您作为应用程序登录。

编辑:

我查看了您发布的示例并 运行 我自己查看了它,并且遇到了非常相似的问题。但是我已经开始工作了。步骤如下:

正在创建应用程序

  1. 创建已注册的应用程序。我通过 Azure 门户这样做 服务主体是自动创建的。记下 ApplicationId.
  2. 在创建的应用程序上生成密钥凭据并记下它。
  3. 在应用程序中单击 link 到 Managed app in local directory。这是服务主体,记下 ObjectId

创建密钥保管库

  1. 创建 KeyVault - 我使用 PowerShell 来完成此操作。 New-AzureRmKeyVault

  2. 将服务主体应用到 Key Vault。

    Set-AzureRmKeyVaultAccessPolicy -VaultName <vault> -ResourceGroupName <ResourceGroupName> -ObjectId <Object Id of the Created Service Principal> -PermissionsToSecrets Get,List

运行 示例应用程序

在您的应用程序设置中遵循以下格式:

{
  "Vault": <the name of your vault>,
  "ClientId": <ApplicationId of the Registered Application>,
  "ClientSecret": <Credential generated from the Registered Application>
}

这对我有用,让我可以 运行 样本并从保险库中检索秘密。

对我来说,最终的问题是 运行 'Set-AzureRmKeyVaultAccessPolicy' 是不需要的,无论出于何种原因,忽略它并遵循本小节更容易:https://azure.microsoft.com/documentation/articles/key-vault-get-started/#authorize

我一直在尝试设置对象 ID 和键,实际上我只是忽略了提到 'ServerPrincipalName'

的部分

他们为键设置了一个 commandlet

Set-AzureRmKeyVaultAccessPolicy -VaultName '<vaultName>' -ServicePrincipalName <ApplicationIdGuid> -PermissionsToKeys decrypt,sign

他们为机密设置了一个命令行开关

Set-AzureRmKeyVaultAccessPolicy -VaultName '<vaultName>' -ServicePrincipalName <ApplicationIdGuid> -PermissionsToSecrets Get, List

但我决定按照直接进行的部分在门户中完成所有操作。对我来说,关键是说明没有错。只是含糊地说:"Register a sample app" 然后 "Authorize the App"。他们真的应该说

Register a sample app (https://docs.microsoft.com/en-us/azure/key-vault/key-vault-get-started#register) Authorize the app with Key Vault (https://azure.microsoft.com/documentation/articles/key-vault-get-started/#authorize)

最终所有信息都在那里,如果您碰巧已经拥有一个保险库和一个应用程序并且不了解先决条件是您确实需要一个 1. 一个保险库,2. 一个 ADD,那只会让人感到困惑Web 应用程序,3。二合一的关联权限。