Pou*_*sen 11 azure azure-active-directory azure-keyvault
以下是在控制台应用程序和ClientID中,RedirectUri来自azure活动目录中创建的本机应用程序.
var authContext = new AuthenticationContext(string.Format("https://login.windows.net/{0}","common"),new FileCache());
var token = authContext.AcquireToken("https://management.core.windows.net/", ClientID, RedirectUri, PromptBehavior.Auto);
我现在有与管理api交谈的令牌.
using (var client = new KeyVaultManagementClient(new TokenCloudCredentials(SubscriptionId, token.AccessToken)))
{
var a = client.Vaults.List(resourceGroup, 10);
foreach(var vault in a.Vaults)
{
var vaultInfo = client.Vaults.Get(resourceGroup, vault.Name);
Console.WriteLine(JsonConvert.SerializeObject(vaultInfo.Vault, Formatting.Indented));
//Verifying that the AccessPolicies contains my object id (pasting idtoken into jwt.io and compare with oid claim) Success.
// Now its time to talk with keyvault
var keyvault = new KeyVaultClient(GetAccessTokenAsync);
var secrets = keyvault.GetSecretsAsync(vaultInfo.Vault.Properties.VaultUri).GetAwaiter().GetResult();
}
}
private static Task<string> GetAccessTokenAsync(string authority, string resource, string scope)
{
var context = new AuthenticationContext(authority, new FileCache());
var result = context.AcquireToken(resource, new ClientCredential(AppClientId,AppKey));
return Task.FromResult(result.AccessToken);
}
以上工作,但要求我在我的AD上创建一个单独的应用程序,可以与keyvault交谈.我想用自己的ID与keyvault交谈,但我无法弄清楚如何获得keyvault客户端所需的访问令牌.
我是否需要更新azure manuel上的清单并添加我的控制台应用程序是否允许代表用户获取keyvault的令牌?需要在GetAccessTokenAsync中更改哪些代码才能使其正常工作.
我尝试从公共端点的初始令牌请求中仅提供访问或id令牌.有没有人建议如何代表我自己的id而不是应用程序与azure密钥保管库交谈?
所以看着我发现我的令牌的标题是缺少vault.azure.net作为资源,因此尝试:
var testtoken = authContext.AcquireToken("https://vault.azure.net", ClientID, RedirectUri);
给出以下错误:
AADSTS65005:客户端应用程序已请求访问资源" https://vault.azure.net ".此请求失败,因为客户端未在其requiredResourceAccess列表中指定此资源.
并查看当前的清单:
"requiredResourceAccess": [
{
"resourceAppId": "797f4846-ba00-4fd7-ba43-dac1f8f63013",
"resourceAccess": [
{
"id": "41094075-9dad-400e-a0bd-54e686782033",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"type": "Scope"
}
]
}
],
我怎么知道keyvault的范围和resourceAppId使用什么guid?
在我知道如何获取resourceAppId和相关信息之前,我正在使用冒充PowerShell工具的旧技巧.
var vaultToken = authContext.AcquireToken("https://vault.azure.net", "1950a258-227b-4e31-a9cf-717495945fc2", new Uri("urn:ietf:wg:oauth:2.0:oob"));
var keyvault = new KeyVaultClient((_, b, c) => Task.FromResult(vaultToken.AccessToken));
var secrets = keyvault.GetSecretsAsync(vaultInfo.Vault.Properties.VaultUri).GetAwaiter().GetResult();
来源:http: //www.s-innovations.net/Blog/2014/02/12/Controlling-the-login-flow-when-using-ADAL-for-WAML请先阅读博客文章中的@bradygaster评论使用powershells clientid.
你走在正确的轨道上!您需要配置 AAD,以便能够专门授权用户访问 KeyVault。尝试将以下内容添加到您的清单中。
{
"resourceAppId": "cfa8b339-82a2-471a-a3c9-0fc0be7a4093",
"resourceAccess": [
{
"id": "f53da476-18e3-4152-8e01-aec403e6edc0",
"type": "Scope"
}
]
}
如果这不起作用,您可以通过访问旧门户,导航到 AAD、您的 AAD 租户、您的应用程序,然后在“其他应用程序的权限”部分下添加“Azure Key Vault”来执行此操作。 “配置”选项卡。
| 归档时间: |
|
| 查看次数: |
3582 次 |
| 最近记录: |