本文介绍了配置Azure Active Directory,以使用oAuth 2.0客户端凭据授予类型将用户设置为启用了SCIM的Web应用程序,以从Web应用程序的oauth授权服务器的令牌终结点获取访问令牌(oauth承载令牌).的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在浏览本文档https://docs.microsoft.com/zh-cn/azure/active-directory/manage-apps/use-scim-to-provision-users-and-groups用于配置非画廊应用程序以自动将用户从Azure AD调配到非画廊 应用程序,但是我没有看到有关如何从OAuth授权服务器的OAuth获取令牌(OAuth承载令牌)的任何信息.非图库应用程序使用的令牌终结点.

"要连接支持SCIM的应用程序:"  states:

  1. 如果SCIM终结点需要来自Azure AD以外的发行者的OAuth承载令牌,则将所需的OAuth承载令牌复制到可选的秘密令牌字段. 如果将此字段留为空白,则Azure AD随每个请求包括从Azure AD发出的OAuth承载令牌.使用Azure AD作为身份提供者的应用程序可以验证此Azure AD颁发的令牌.

似乎暗示您可以使用永不过期的静态OAuth承载令牌(似乎比在应用程序和Azure AD之间具有共享机密更为安全)或将应用程序配置为使用Azure AD作为标识提供者(我接受 意味着将应用程序配置为转到Azure AD来验证/验证OAuth访问令牌.

问题:

  1. Azure AD是否支持使用客户端凭据授予类型从非库应用程序的OAuth授权服务器请求OAuth访问令牌?
  2. 在哪里可以找到有关配置应用程序以将Azure AD用作"的更多文档身份提供商" (即验证/验证已颁发的Azure AD OAuth承载令牌)?
解决方案


I'm looking through this documentation https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/use-scim-to-provision-users-and-groups for configuring a non gallery application to automatically provision users from Azure AD to the non gallery app and I don't see anything about how to get OAuth access tokens (OAuth bearer token) from an OAuth authorization server's  token endpoint that the non gallery application uses.

Step 7 of "To connect an application that supports SCIM:" states :

  1. If the SCIM endpoint requires an OAuth bearer token from an issuer other than Azure AD, then copy the required OAuth bearer token into the optional Secret Token field. If this field is left blank, then Azure AD included an OAuth bearer token issued from Azure AD with each request. Apps that use Azure AD as an identity provider can validate this Azure AD -issued token.

which seems to imply you can use a static OAuth bearer token that never expires (which doesn't seem any more secure than having a shared secret between the application and Azure AD) or configure the app to use Azure AD as the identity provider (which I take to mean configure the application to go to Azure AD to validate/verify the OAuth access token).

Questions: 

  1. Does Azure AD support using client credential grant type to request a OAuth access token from the non gallery application's OAuth authorization server?
  2. Where can I find more documentation on configuring applications to "use Azure AD as an identity provider" (i.e to validate / verify the Azure AD OAuth bearer token issued)?
解决方案


这篇关于配置Azure Active Directory,以使用oAuth 2.0客户端凭据授予类型将用户设置为启用了SCIM的Web应用程序,以从Web应用程序的oauth授权服务器的令牌终结点获取访问令牌(oauth承载令牌).的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

10-23 22:59