借助客户端凭证流,将生成访问令牌,而无需来自同一租户中任何应用程序的委托访问

时间:2019-04-16 14:35:35

标签: azure azure-active-directory azure-authentication

我正在设置一个后台进程,该进程将与Azure AD保护的API通信。在不授予委托人访问API的情况下,客户端应用程序能够生成访问令牌

使用客户端凭证流,是否可以在不授予委托权限的情况下为Web api生成访问令牌。我能够生成它,但是根据它不应该发生。在我的租户中创建的任何应用都可以在没有委托权限的情况下为Web api生成令牌。

我在github上遵循以下示例。 https://github.com/Azure-Samples/active-directory-dotnet-daemon

如果未提供委托访问,则它应该不能生成访问令牌。

1 个答案:

答案 0 :(得分:1)

This is normal. If you are using client credential flow, even if your client app not have the application permission and delegated permission, it will be able to generate the access token. But you could not use this token to call the api, because the token does not have the permissions in its claim. You could decode the token in https://jwt.io/ , then you can see the permissions as below.

enter image description here

Update:

If you want to check the delegated permissions, you need to use ropc flow. Check the scope in the response, they are the delegated permissions.

enter image description here