问题
I’ve implemented Azure B2C for user login/logout and can get the id_token and pass it to my web API for authorization, all works well. Now, I have some Web API methods that should be only accessed by the client web application (ASP.NET 4.6) which means OAuth 2.0 "client credentials grant". I’ve done a lot of research and the closest I could find is this quick-start which uses ADAL in a B2C application to call Graph API.
I followed along and got to the point where I’m trying to get the client access token as in the below code. However, no matter what I pass to the AcquireToken method as the resource I keep getting an error that the application name I’m passing doesn’t exist in the tenant. I’m actually not sure what should I pass, since in the B2C world you do not register your Web API as an application but rather you have one application ID for all your Apps.
Is the above scenario supported, and how can I do it?
public async Task<string> SendGraphGetRequest(string api, string query)
{
// First, use ADAL to acquire a token by using the app's identity (the credential)
// The first parameter is the resource we want an access_token for; in this case, the Graph API.
//*** In my case I want to replace the graph API URL with my own WebAPI
AuthenticationResult result = authContext.AcquireToken("https://graph.windows.net", credential);
回答1:
See this link that describes the Azure Active Directory B2C limitations. The quick-start you referenced is using the client credentials grant, which is not yet supported in Azure AD B2C.
Under the section Daemons / server-side applications it reads:
"Applications that contain long-running processes or that operate without the presence of a user also need a way to access secured resources, such as Web APIs. These applications can authenticate and get tokens by using the application's identity (rather than a consumer's delegated identity) in the OAuth 2.0 client credentials flow. This flow is not yet available in Azure AD B2C, so for now, applications can get tokens only after an interactive consumer sign-in flow has occurred."
I believe this feature (oauth client credentials grant type support) is on the B2C roadmap and when it is released, the steps in that quick start should work.
回答2:
It is a well documented limitation, I have created user voice request on the feedback portal.
You can vote it and wait for the Development Team to implement it.
来源:https://stackoverflow.com/questions/40310659/azure-b2c-client-credentials-grant