问题
I have a Web API written using asp.net core. This API will be used to communicate with several other services registered in AAD, which all could be made using different technologies like an MVC application written in asp.net core or a single page application written in Vue.JS. The latter is causing me issues as the SPA won't be run by an application web server and rather something like nginx or apache and therefor won't be able to use a client secret.
I have added API permissions for my API to my apps.
How would I achieve this? I'm currently sending an access token using the Authorization: Bearer access_token header from the client app to the API, but since the client app and the API aren't the same app in the AAD, it's causing issues.
Here's the flow I'm trying to achieve:
All of the requested apps require you to login to the AAD and when requesting data from the API, they'll send the JWT token, which then should validate the token before returning the requested resource back to the client application.
回答1:
It seems you misunderstand something . You can register your each client as independent application in Azure AD , and assign access permission for your web api .
The latter is causing me issues as the SPA won't be run by an application web server and rather something like nginx or apache and therefor won't be able to use a client secret.
SPA application use Implicit grant flow , so that it doesn't need the client secret when acquiring token .SPA could be independent app , you should provide client id when making authentication with AAD. After getting access token , you could create http request with Authorization: Bearer access_tokenheader for accessing your web api .
Each client(web/spa/native) will acquire access token for accessing web api . On web api side , you just need to validate the token .Validate the claims(issuer,audience) and signature .
来源:https://stackoverflow.com/questions/57691531/azure-ad-connect-multiple-apps-to-single-web-api