如何使用 id_token 从 Azure Function 应用程序进入 Azure access_token?
How get in Azure access_token from Azure Function app with id_token?
我正在尝试在用户访问匿名功能应用程序时获得授权和访问和刷新令牌。
我已经按照这个tutorial使用了函数App的B2C租户授权
我可以在函数应用程序中用这个得到 id_token。为了获取令牌,我在浏览器中粘贴了函数应用程序的地址:
public static async Task<IActionResult> Run([HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req, ILogger log)
{
string code = null;
foreach (var h in req.Headers)
{
if(h.Key.Equals("X-MS-TOKEN-AAD-ID-TOKEN"))
code += (h.Value);//authorisation id_token to get access_token
}
我已经尝试了几个教程来获取 access/refresh 令牌和这个 one I could follow/understand: I see in Fiddler I get id_token at https://tenantName.azurewebsites.net/.auth/login/aad/callback; but the next line https://functionAppName.azurewebsites.net/api/functionName GET 请求,响应是服务器错误,404 - 找不到文件或目录。":
public static async Task<IActionResult> Run([HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req, ILogger log)
{
string code = null;
foreach (var h in req.Headers)
{
if(h.Key.Equals("X-MS-TOKEN-AAD-ID-TOKEN"))
code += (h.Value);
}
var content = new StringContent(
"grant_type=refresh_token" +
"&client_id=" + B2CApplication-ApiID+
"&redirect_uri="+"https://functionapp.azurewebsites.net/.auth/login/aad/callback"+
"&client_secret="+"XXX"+
"&code" + code +
"&scope=user.read"+
"&resource="+"https://graph.microsoft.com",//also tried https://graph.microsoft.com/.default
Encoding.UTF8,
"application/x-www-form-urlencoded");
BaseURL="https://tenantName.b2clogin.com/tenantName.onmicrosoft.com/oauth2/v2.0/token";
var response = await httpClient.PostAsync(BaseURL, content);
var result = await response.Content.ReadAsStringAsync();
dynamic json = JsonConvert.DeserializeObject(result);
var access_token = json.access_token;
var refresh_token = json.refresh_token;
string token_value = access_token.value;
string refresh_value = refresh_token.value;
return (ActionResult)new OkObjectResult($"Complete " ,{token_value});
这是设置:
Azure AD B2C Tenant
Domain Name: tenantName.onmicrosoft.com
Applications: B2CApplication-Api
WebApp/API : Yes
Allow Implicit Flow : Yes
Reply Url : https://functionapp.azurewebsites.net/.auth/login/aad/callback
App ID : https://tenantName.onmicrosoft.com/B2CApplication-Api
Add URI (optional): identityauth
Include Native client: No
Secret key: XXX
Reply URL: https://tenantName.azurewebsites.net/.auth/login/aad/callback
API Access to Microsoft Graph: Read User Profile with granted admin consent
Published Scope read: https://tenantName.onmicrosoft.com/identityauth/read
Published Scope user_impersonation: https://tenantName.onmicrosoft.com/identityauth/user_impersonation
User Flows
SignupSignIn, Password reset, profile editing
Application : B2CApplication-Api
Reply Url : https://tenantName.azurewebsites.net/.auth/login/aad/callback
Azure Function: Anonymous
App Service Authentication : On
Action to take when not authenticated : Login with Azure AD
Authentication provider:Azure AAD
Management Mode : Advanced
client id : B2C-Application-ApplicationID
issuer url : https://tenantName.b2clogin.com/tenantName.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_signinsignoutpolicy
Allowed Token Audiences: B2C-Application-Application_ID
Azure AD B2C 访问令牌只能用于访问您自己的受保护资源。
我们无法使用 Azure AD B2C 颁发的访问令牌来调用 Microsoft Graph API。您必须让用户调用您的 API,并且您的 API 需要使用 client_credentials 来获取 Graph API.
的令牌
并且,https://graph.microsoft.com 用于资源 (v1.0),https://graph.microsoft.com/.default 用于范围 (v2.0)。详情可参考this article
参考:
我正在尝试在用户访问匿名功能应用程序时获得授权和访问和刷新令牌。
我已经按照这个tutorial使用了函数App的B2C租户授权
我可以在函数应用程序中用这个得到 id_token。为了获取令牌,我在浏览器中粘贴了函数应用程序的地址:
public static async Task<IActionResult> Run([HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req, ILogger log)
{
string code = null;
foreach (var h in req.Headers)
{
if(h.Key.Equals("X-MS-TOKEN-AAD-ID-TOKEN"))
code += (h.Value);//authorisation id_token to get access_token
}
我已经尝试了几个教程来获取 access/refresh 令牌和这个 one I could follow/understand: I see in Fiddler I get id_token at https://tenantName.azurewebsites.net/.auth/login/aad/callback; but the next line https://functionAppName.azurewebsites.net/api/functionName GET 请求,响应是服务器错误,404 - 找不到文件或目录。":
public static async Task<IActionResult> Run([HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req, ILogger log)
{
string code = null;
foreach (var h in req.Headers)
{
if(h.Key.Equals("X-MS-TOKEN-AAD-ID-TOKEN"))
code += (h.Value);
}
var content = new StringContent(
"grant_type=refresh_token" +
"&client_id=" + B2CApplication-ApiID+
"&redirect_uri="+"https://functionapp.azurewebsites.net/.auth/login/aad/callback"+
"&client_secret="+"XXX"+
"&code" + code +
"&scope=user.read"+
"&resource="+"https://graph.microsoft.com",//also tried https://graph.microsoft.com/.default
Encoding.UTF8,
"application/x-www-form-urlencoded");
BaseURL="https://tenantName.b2clogin.com/tenantName.onmicrosoft.com/oauth2/v2.0/token";
var response = await httpClient.PostAsync(BaseURL, content);
var result = await response.Content.ReadAsStringAsync();
dynamic json = JsonConvert.DeserializeObject(result);
var access_token = json.access_token;
var refresh_token = json.refresh_token;
string token_value = access_token.value;
string refresh_value = refresh_token.value;
return (ActionResult)new OkObjectResult($"Complete " ,{token_value});
这是设置:
Azure AD B2C Tenant
Domain Name: tenantName.onmicrosoft.com
Applications: B2CApplication-Api
WebApp/API : Yes
Allow Implicit Flow : Yes
Reply Url : https://functionapp.azurewebsites.net/.auth/login/aad/callback
App ID : https://tenantName.onmicrosoft.com/B2CApplication-Api
Add URI (optional): identityauth
Include Native client: No
Secret key: XXX
Reply URL: https://tenantName.azurewebsites.net/.auth/login/aad/callback
API Access to Microsoft Graph: Read User Profile with granted admin consent
Published Scope read: https://tenantName.onmicrosoft.com/identityauth/read
Published Scope user_impersonation: https://tenantName.onmicrosoft.com/identityauth/user_impersonation
User Flows
SignupSignIn, Password reset, profile editing
Application : B2CApplication-Api
Reply Url : https://tenantName.azurewebsites.net/.auth/login/aad/callback
Azure Function: Anonymous
App Service Authentication : On
Action to take when not authenticated : Login with Azure AD
Authentication provider:Azure AAD
Management Mode : Advanced
client id : B2C-Application-ApplicationID
issuer url : https://tenantName.b2clogin.com/tenantName.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_signinsignoutpolicy
Allowed Token Audiences: B2C-Application-Application_ID
Azure AD B2C 访问令牌只能用于访问您自己的受保护资源。
我们无法使用 Azure AD B2C 颁发的访问令牌来调用 Microsoft Graph API。您必须让用户调用您的 API,并且您的 API 需要使用 client_credentials 来获取 Graph API.
的令牌并且,https://graph.microsoft.com 用于资源 (v1.0),https://graph.microsoft.com/.default 用于范围 (v2.0)。详情可参考this article
参考: