我一直在寻找官方Authenticating to Azure AD in daemon apps with certificates在GitHub上的Azure Active Directory示例。 Web API服务似乎没有任何客户知识。Azure活动目录守护进程客户端使用证书
- 您不会被告知登录到Azure并使用“权限到其他应用程序”部分为守护程序客户端添加访问Web API的权限。
- Web API控制器操作不检查调用者的声明以确保它是客户端应用程序。它有这样的代码,虽然我不完全理解:
public IEnumerable Get() { // // The Scope claim tells you what permissions the client application has in the service. // In this case we look for a scope value of user_impersonation, or full access to the service as the user. // Claim scopeClaim = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/scope"); if (scopeClaim != null) { if (scopeClaim.Value != "user_impersonation") { throw new HttpResponseException(new HttpResponseMessage { StatusCode = HttpStatusCode.Unauthorized, ReasonPhrase = "The Scope claim does not contain 'user_impersonation' or scope claim not found" }); } } // A user's To Do list is keyed off of the NameIdentifier claim, which contains an immutable, unique identifier for the user. Claim subject = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier); return from todo in todoBag where todo.Owner == subject.Value select todo; }
我是在想,我的Azure的AD注册的任何客户端可以访问Web API,与此样本的安装方式纠正。