我有一个Azure AD B2C受保护的ASP.NET 6 WebAPI,ASP.NET网站和一个本机移动应用程序正在使用授权代码流使用WebAPI(基本上我遵循 https://github.com/ Azure-Samples/Active-directory-Aspnetcore-webapp-openidConnect-V2/tree/master/master/4-webapp-your-api/4-2-b2c )。这一直没有任何问题。
现在,我需要支持从守护程序应用程序调用上面的WebAPI。该守护程序应用程序将定期访问WebAPI以触发维护和测试类型的处理类型。但是,Azure AD B2C不支持守护程序应用程序,根据 https://learn.microsoft.com/en-us/azure/active-directory-b2c/application-types#current-limitations 。
如果有一种共同的方法可以解决,我有兴趣知道。我能想到的唯一解决方法是在Azure AD(而不是Azure AD B2C)中创建应用程序注册,并创建使用新的Azure AD注册的WebAPI的单独实例(发布WebAPI作为其他名称)。守护程序应用程序可以使用客户端ID和秘密使用新的WebAPI实例。我验证了这项工作,但是创建一个单独的WebAPI实例是不受欢迎的,我希望避免使用它。谢谢!
I have an Azure AD B2C protected ASP.NET 6 WebAPI, and a ASP.NET Web site and a native mobile app are using the WebAPI using the authorization code flow (basically I followed https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-2-B2C). This has been working without any problems.
Now, I need to support calling the WebAPI above from a daemon app. This daemon app will regularly access the WebAPI to trigger maintenance and test type of processing. However, the Azure AD B2C does not support a daemon app according to https://learn.microsoft.com/en-us/azure/active-directory-b2c/application-types#current-limitations.
If there is a common approach to work around it, I'd be interested to know. The only workaround I can think of is to create an app registration in Azure AD (rather than Azure AD B2C) and create a separate instance of the WebAPI (publish WebAPI as a different name) that uses the new Azure AD registration. The daemon app can use the new WebAPI instance using the client ID and secret. I verified this works, but creating a separate WebAPI instance is undesirable and I am hoping to avoid it. Thanks!
发布评论
评论(3)
我最终使用了B2C上的ROPC流,可以用作守护程序应用程序。
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=pabs=pabs=pabs=pabs=pab-ga&pivots = b2c-user-flow < /a>
I ended up using the ROPC flow on B2C, which can be used as a daemon app.
https://learn.microsoft.com/EN-US/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-user-flow
您可以使用客户端凭据流: https://learn.microsoft.com/en-us/azure/active-directory-b2c/client-credentials-grant-flant-flow?pivots = b2c-custom-policy 。
You can use the client credentials flow: https://learn.microsoft.com/en-us/azure/active-directory-b2c/client-credentials-grant-flow?pivots=b2c-custom-policy.
是的,不支持客户凭证流。
docs 。建议解决方法。
“尽管Azure AD AD B2C身份验证服务当前未直接支持OAUTH 2.0客户凭证授予流,但是您可以使用Azure AD和Microsoft Identity Platform/token设置客户端凭据流( https://login.microsoftonline.com/your-tenant-name.onmicrosoft.com /oauth2/v2.0/token )AZURE AD B2C租户中的应用程序的端点。
Yes, client credentials flow is not supported.
The docs. do suggest a workaround.
"Although the OAuth 2.0 client credentials grant flow isn't currently directly supported by the Azure AD B2C authentication service, you can set up client credential flow using Azure AD and the Microsoft identity platform /token (https://login.microsoftonline.com/your-tenant-name.onmicrosoft.com/oauth2/v2.0/token) endpoint for an application in your Azure AD B2C tenant. An Azure AD B2C tenant shares some functionality with Azure AD enterprise tenants."