英文:
What OIDC allow users to exchange credentials for a token
问题
I have a SPA secured with AAD B2C. The SPA talks to APIs also secured with AAD B2C. Right now, users can copy/paste the authorization header from Chrome to a tool like Postman and call APIs directly.
I'd like to make this step a little easier for users. I suspect there's a token grant flow that allows a user to call https://login.microsoftonline.com/common/oauth2/v2.0/token and exchange username and password for a bearer token.
I can't find a reference to any such flow. Can you point me in the right direction?
There are too many users for me to create an AppID/Secret for each one.
英文:
I have a SPA secured with AAD B2C. The SPA talks to APIs also secured with AAD B2C. Right now, users can copy/paste the authorization header from Chrome to a tool like Postman and call APIs directly.
I'd like to make this step a little easier for users. I suspect there's a token grant flow that allows a user to call https://login.microsoftonline.com/common/oauth2/v2.0/token and exchange username and password for a bearer token.
I can't find a reference to any such flow. Can you point me in the right direction?
There are too many users for me to create a AppID/Secret for each one.
答案1
得分: 1
这取决于您所指的“users”。如果他们只是内部测试人员,您可以配置一个Azure资源所有者密码客户端,然后可以向测试人员提供其客户端ID和密钥,然后他们可以提交自己的用户名和密码以获取令牌。
这种流程对于测试可能很方便,但不建议用于生产环境。例如,在OAuth 2.1中,它已被删除。因此,最好避免将此类客户端添加到部署流水线的生产阶段。
英文:
It depends what you mean by users. If they are just internal testers you can configure an Azure resource owner password client and testers can be given its client ID and secret, then post their own username and password to get tokens.
This flow can be convenient for testing, but is not recommended for production usage. Eg in OAuth 2.1 it has been removed. So perhaps avoid adding such a client to the production stage of your deployment pipeline.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论