多个网络apis的范围

时间:2017-05-10 14:06:53

标签: azure-active-directory azure-ad-b2c

我的b2c上有2个web apis(A和B)。他们每个人分别发布自己的权限(scopeA1,scopeA2)和(scopeB1,scopeB2)。

在我的Web应用程序(已经配置并已授予apis和4个范围的访问权限)上,为了在身份验证期间获取两个api的授权代码,我尝试将我的OpenIdConnectAuthenticationOptionsin范围属性设置为包含4个范围。 我收到错误AADB2C90146:范围' scopeA1 scopeA2 scopeB1 scopeB2 openid offline_access'在请求中提供,为访问令牌指定了多个资源,但不支持。

如果我只为web api A或B指定范围,那么它按照this link

工作

即使已获得两者的授予权限,如何让我的网络应用程序同时使用网络api

感谢您的帮助

2 个答案:

答案 0 :(得分:0)

如果两个Web API是Azure AD中的单独应用程序,则需要为它们单独请求访问令牌。

我不熟悉您用作起点的示例,但看起来这些行是您需要进行更改的地方:

// Retrieve the token using the provided scopes
ConfidentialClientApplication app = new ConfidentialClientApplication(authority, Startup.ClientId,
                                    Startup.RedirectUri, credential,
                                    new NaiveSessionCache(userObjectID, this.HttpContext));
AuthenticationResult result = await app.AcquireTokenSilentAsync(scope);

accessToken = result.Token;

您应该为每个API创建一个app实例,并为每个API获取一个令牌。然后,当您在其他地方调用API时,请在Bearer身份验证标头中使用正确的访问令牌。

答案 1 :(得分:0)

I had the same issue and asked a similar question Extend MSAL to support multiple Web APIs

but i have not had an answer, basically to get around it in the short term i have made both my API's use the same authorization client ID + secret and therefore I can reuse the same scopes accross my APIS

its not what i want but if you want to use Azure AD B2C you need to get used to compromising for a while until the support is there

-- I would also say you are using an older version of MSAL which i am also using, im waiting until the version 1 release before upgrading again.

The github talks about using this format

https://github.com/AzureAD/microsoft-authentication-library-for-dotnet

Step 1: Add MSAL to your Solution/Project
Right click on your project > Manage packages.
Select include prerelease > search msal.
Select the Microsoft.Identity.Client package > install.

Step 2: Instantiate MSAL and Acquire a Token
Create a new PublicClientApplication instance. Make sure to fill in your 
app/client id
PublicClientApplication myApp = new PublicClientApplication(CLIENT_ID);
Acquire a token
AuthenticationResult authenticationResult = await 
myApp.AcquireTokenAsync(SCOPES).ConfigureAwait(false);

Step 3: Use the token!
The access token can now be used in an HTTP Bearer request.
相关问题
最新问题