我们有多个伙伴关系网核心网络信息预报系统,它们都从A.A.d和B.2C账户获得。 目前有一台ASPNET核心站点使用Adapken。
伙伴关系网的同一网站和APIC1号网站都要求使用AP2。 当WebSite或APIC2打电话时,我通过打电话被打脚。 GetAccess TokenForUserAsync , 并通过“https://ourdomain.co.uk/appid/access”等范围。
我现在要问一下F.unc1, 即需要打电话APIC1, 而第AP1号呼吁将导致第AP2号呼吁。 “Func1”是一种由时间组合引发的 da。 在F.unc1,我收到使用<密码>的APIC1号信号。 GetAccess TokenForAppAsync。 这一工作正在进行之中,我通过网站,我已暴露了AmpRole 1号申请,该申请已发给Func1。
AP1中的代码需要打上APIC2号,正试图通过打电话<代码>打脚。 GetAccess TokenForUserAsync。 很奇怪的是,这并不是因为没有用户账户。 我发现错误:
AADSTS7000114: Application 9dc73511-1987-4ede-9485-ad45923204ac is not allowed to make application on-behalf-of calls
- If the call to API1 was made with an App Token should all calls made to API2 from API1, within the same context use a token that was also obtained from GetAccessTokenForAppAsync
- The endpoint of API1 that AzureFunc1 is calling is the same as the one that is normally called in the context of a User. Is that bad practice?
- Is there a way of looking at the HttpContext in API1 and knowing that the calls are on behalf of an App rather than a User? The contents of the ClaimsPrincipal.Claims suggests there is.
- Assuming I can tell in API1 that I am being called in the context of an App rather than a User should I switch to use GetAccessTokenForAppAsync and expose some new AppRoles on API2?