使用Azure AD进行Service 2服务身份验证

时间:2017-11-29 14:14:18

标签: azure azure-active-directory

我尝试使用Azure AD创建服务2服务身份验证。我读了https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service, 我想限制对我的Resource Web API的访问,但我有以下问题:

  • resource我可以放任何应用程序,这是我的Azure AD目录,所以这不起作用(或者我不知道如何限制它)
  • JWT令牌只包含客户端应用程序的GUID,所以我必须再次询问AD,找出哪个应用程序正在呼叫我,以及是否有权给我打电话(例如它是否在适当的AD组中)

我做错了吗?

1 个答案:

答案 0 :(得分:0)

您的资源应位于您获取的令牌中的键“ aud”下。 请查看文章https://docs.microsoft.com/ru-ru/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow中的令牌示例:

{
"access_token":"eyJhbGciOiJSUzI1NiIsIng1dCI6IjdkRC1nZWNOZ1gxWmY3R0xrT3ZwT0IyZGNWQSIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJodHRwczovL3NlcnZpY2UuY29udG9zby5jb20vIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvN2ZlODE0NDctZGE1Ny00Mzg1LWJlY2ItNmRlNTdmMjE0NzdlLyIsImlhdCI6MTM4ODQ0ODI2NywibmJmIjoxMzg4NDQ4MjY3LCJleHAiOjEzODg0NTIxNjcsInZlciI6IjEuMCIsInRpZCI6IjdmZTgxNDQ3LWRhNTctNDM4NS1iZWNiLTZkZTU3ZjIxNDc3ZSIsIm9pZCI6ImE5OTE5MTYyLTkyMTctNDlkYS1hZTIyLWYxMTM3YzI1Y2RlYSIsInN1YiI6ImE5OTE5MTYyLTkyMTctNDlkYS1hZTIyLWYxMTM3YzI1Y2RlYSIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzdmZTgxNDQ3LWRhNTctNDM4NS1iZWNiLTZkZTU3ZjIxNDc3ZS8iLCJhcHBpZCI6ImQxN2QxNWJjLWM1NzYtNDFlNS05MjdmLWRiNWYzMGRkNThmMSIsImFwcGlkYWNyIjoiMSJ9.aqtfJ7G37CpKV901Vm9sGiQhde0WMg6luYJR4wuNR2ffaQsVPPpKirM5rbc6o5CmW1OtmaAIdwDcL6i9ZT9ooIIicSRrjCYMYWHX08ip-tj-uWUihGztI02xKdWiycItpWiHxapQm0a8Ti1CWRjJghORC1B1-fah_yWx6Cjuf4QE8xJcu-ZHX0pVZNPX22PHYV5Km-vPTq2HtIqdboKyZy3Y4y3geOrRIFElZYoqjqSv5q9Jgtj5ERsNQIjefpyxW3EwPtFqMcDm4ebiAEpoEWRN4QYOMxnC9OUBeG9oLA0lTfmhgHLAtvJogJcYFzwngTsVo6HznsvPWy7UP3MINA",
"token_type":"Bearer",
"expires_in":"3599",
"expires_on":"1388452167",
"resource":"https://service.contoso.com/"
}

如果使用jwt.io进行检查,则会看到详细信息:

{
  "aud": "https://service.contoso.com/",
  "iss": "https://sts.windows.net/7fe81447-da57-4385-becb-6de57f21477e/",
  "iat": 1388448267,
  "nbf": 1388448267,
  "exp": 1388452167,
  "ver": "1.0",
  "tid": "7fe81447-da57-4385-becb-6de57f21477e",
  "oid": "a9919162-9217-49da-ae22-f1137c25cdea",
  "sub": "a9919162-9217-49da-ae22-f1137c25cdea",
  "idp": "https://sts.windows.net/7fe81447-da57-4385-becb-6de57f21477e/",
  "appid": "d17d15bc-c576-41e5-927f-db5f30dd58f1",
  "appidacr": "1"
}

要获取Azure AD令牌,可以使用token generator

相关问题
最新问题