验证和显示来自第三方应用程序的Azure AD安全的Web应用程序视图
背景
我有一个MVC 5 Web App,并作为Web App托管在Azure App Service中,并用Azure AD保护;具有有效AD凭据的任何人都可以进行身份验证并查看Web应用程序中的所有HTML内容;
Background
I have a MVC 5 Web App and hosted in Azure App Service as Web App and secured with Azure AD; Anybody with valid AD credentials can authenticate themselves and view all HTML Content in the Web App;
目标
我只需要将这些MVC视图之一提供给外部人员即可查看.为此,我们已经在Azure AD中创建了一个User,我们将与外界共享详细信息.因此,第三方将需要编写一些代码以对我们的Azure AD进行身份验证,并以非交互方式查看此HTML内容(这意味着不允许第三方应用提示输入来自Azure AD的用户凭据).
Objective
I need to give just one of these MVC-View to outside individuals to view. For such we have already created an User in Azure AD which we will be sharing the details with the outside world. Hence, the thrid party will need to write some code to authenticate to our Azure AD and view this HTML content non interactively (Which means without allowing the third party app to prompt to enter user credentials from Azure AD).
我的想法
假设我是第三方,我将通过控制台/WinForms/HTML向Azure AD进行身份验证 寻呼并给自己一个令牌;然后我将使用令牌打开 一个浏览器来查看此页面.
Assume that I am the third Party, I am going to authenticate to Azure AD from a Console/WinForms/HTML Page and get myself a token; Then I will be using the token, to open up a Browser to view this page.
我看到的挑战 会话期满 会话有效性
Challenges I see Session Expiration Session Validity
将所有内容放入图片
请告诉我一些实现目标的指导.
Please show me some guidence to accomplish the objective.
因此,第三方将需要编写一些代码以对我们的Azure AD进行身份验证并以非交互方式查看此HTML内容(这意味着不允许第三方应用提示输入来自以下位置的用户凭据Azure AD).
Hence, the thrid party will need to write some code to authenticate to our Azure AD and view this HTML content non interactively (Which means without allowing the third party app to prompt to enter user credentials from Azure AD).
根据我的理解,您可以利用使用client_id和client_secret的OAuth 2.0客户端凭据授予流程.
Per my understanding, you could leverage the OAuth 2.0 Client Credentials Grant Flow by using the client_id and client_secret.
此外,您可以使用此处.
Also, you could use OAuth 2 Resource Owner Password Credentials grant. Note: The resource owner password grant doesn't provide consent and doesn't support MFA either. Detailed tutorial, you could follow here.
基于Web应用程序中的身份验证实现部分,您可以按照以下方法实现方案:
Based on the authentication implementation part in your Web App, you could follow the approaches below to implement your scenario:
您不需要在Web App项目中修改任何代码.
You do not need to modify any code in your Web App project.
用于使用 Microsoft.Owin.Security.OpenIdConnect 中间件
您可以使用 Microsoft.Owin.Security.ActiveDirectory Web应用程序中用于支持AAD承载令牌身份验证的软件包,并且需要在其他身份验证中间件之前按如下方式配置此中间件:
You could use Microsoft.Owin.Security.ActiveDirectory package in your Web App for supporting AAD bearer token authentication, and this middleware need to be configured before the other authentication middlewares as follows:
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Audience = "{the-AAD-clientId}",
Tenant = "{TenantId}"
});
//app.UseCookieAuthentication
//app.UseOpenIdConnectAuthentication
对于客户端(第三方),他们可以利用以上两个流程(客户端凭据授予流程,资源所有者密码凭据授予流程)来检索访问令牌,而无需用户交互.然后他们可以使用令牌访问特定的视图页面,如下所示:
For the client (the third Party), they could leverage the above two flows (Client Credentials Grant Flow ,Resource Owner Password Credentials Grant Flow) to retrieve the access token without user interaction. Then they could access the specific view page by using the token as follows:
Get https://{your-app-name}.azurewebsites.net/home/index
Header Authorization:Bearer {the-AAD-accessToken-or-IdToken}
要获取令牌,可以遵循教程以使用用户密码凭据"流程.对于Client Credential,您可以仅在调用AcquireTokenAsync来获取令牌时构造ClientCredential实例.
For retrieving the token, you could follow this tutorial for using User Password Credential flow. For Client Credential, you could just construct the ClientCredential instance when invoking AcquireTokenAsync for getting the token.
此外,您可以为此方案创建一个新的AAD应用程序,或者仅将AAD应用程序用于当前的Web应用程序.此外,暴露用户名&时可能存在风险.密码或clientId&对于第三方的ClientSecret,我建议您公开一个新的终结点,以在Web App后端中生成令牌,并出于安全考虑将令牌返回给第三方.
Additionally, you could create a new AAD application for this scenario or just use the AAD application for your current Web App. Moreover, there may exists risks when exposing the username & password or clientId & ClientSecret to the third Party, I would recommend you expose a new endpoint for generating the token in your Web App backend and return the token to the third party for security consideration.