我有一个托管在 Azure 应用服务中的 REST API,它定义了自定义范围,用于限制某些用户组对 API 中特定操作的访问。访问 Azure 的 OpenID Connect 元数据发现端点 但是,我无法找到一种方法来查看 API 的自定义范围(或在 Azure 中注册的任何 API 使用者)。如何使我的自定义范围显示在发现端点元数据中?
这是我正在使用的端点:
显然,此版本的端点涉及整个租户,因此它这是有道理的,因为它无法了解其中特定 API 的范围。
但是,当使用指定 ClientID 的此变体时,我希望有效负载上的数据与特定应用程序相关:
事实证明并非如此:所有范围此端点中显示的也是 AAD 始终为其他所有内容返回的标准端点:
"scopes_supported": [
"openid",
"profile",
"email",
"offline_access"
],
我希望发生以下一种或两种情况:
- 主要端点返回为所有应用程序定义的所有范围的组合 应用
- 程序参数化端点返回该特定应用程序的范围
如果没有我的自定义范围,当前不可能在使用 OpenIDConnect 连接类型时让客户端选择范围,因为应用程序无法知道在初始请求后向 AAD 请求哪些范围根据我的理解,这是有关元数据端点的要点之一。
I have a REST API hosted in Azure App Services that defines custom scopes for restricting access to specific operations in the API to certain groups of users. When accessing the Azure's OpenID Connect Metadata discovery endpoint however, I can't seen to find a way to see my custom scopes for the API (or any API consumer registered in Azure). How do I make it so that my custom scopes show up in the discovery endpoint metadata?
This is the endpoint I'm using:
Obviously, this version of the endpoint concerns the whole tenant, so it makes sense that it would not have visibility about specific API's scopes in there.
However, when using this variation, which specifies the ClientID, I'd expect the data on the payload to concern that specific application:
This turns out not to be the case: all scopes shown in this endpoint are also the standard ones that AAD always returns for everything else:
"scopes_supported": [
"openid",
"profile",
"email",
"offline_access"
],
I'd expect one or both of the following to happen:
- The main endpoint to return the combination of all scopes defined for all applications
- The app-parameterized endpoint to return the scopes for that particular application
Without my custom scopes being present, it is currently impossible to leave it to a client to pick the scopes when using OpenIDConnect connection type, since the application cannot know which scopes to request to AAD after the initial call, which was one of the main points regarding the metadata endpoint from what I understood.
发布评论
评论(1)
我在
Microsoft.Identity.Web存储库中提出了这个问题,并得到了 Microsoft Identity PM 的回复,其中指出当前设计不支持在元数据终结点中公开自定义范围。更多信息请参见:
我将停止在我的场景中使用发现端点,因为它变得无用如果其中的范围与我的 API 范围不匹配。
I asked this question in the
Microsoft.Identity.Webrepository and got a reply back from a Microsoft Identity PM that states exposing custom scopes in the metadata endpoint is currently not supported by design.More information here:
I'll stop using the discovery endpoint in my scenario since it becomes useless if the scopes in it don't match my API scopes.