我一直在尋找官方Authenticating to Azure AD in daemon apps with certificates在GitHub上的Azure Active Directory示例。 Web API服務似乎沒有任何客戶知識。Azure活動目錄守護進程客戶端使用證書
- 您不會被告知登錄到Azure並使用「權限到其他應用程序」部分爲守護程序客戶端添加訪問Web API的權限。
- Web API控制器操作不檢查調用者的聲明以確保它是客戶端應用程序。它有這樣的代碼,雖然我不完全理解:
public IEnumerable Get() { // // The Scope claim tells you what permissions the client application has in the service. // In this case we look for a scope value of user_impersonation, or full access to the service as the user. // Claim scopeClaim = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/scope"); if (scopeClaim != null) { if (scopeClaim.Value != "user_impersonation") { throw new HttpResponseException(new HttpResponseMessage { StatusCode = HttpStatusCode.Unauthorized, ReasonPhrase = "The Scope claim does not contain 'user_impersonation' or scope claim not found" }); } } // A user's To Do list is keyed off of the NameIdentifier claim, which contains an immutable, unique identifier for the user. Claim subject = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier); return from todo in todoBag where todo.Owner == subject.Value select todo; }
我是在想,我的Azure的AD註冊的任何客戶端可以訪問Web API,與此樣本的安裝方式糾正。