Azure active directory 使用集成安全性获取Azure密钥保险库机密_Azure Active Directory_Adfs_Adal_Azure Ad Graph Api_Azure Keyvault

Azure active directory 使用集成安全性获取Azure密钥保险库机密

azure-active-directory

Azure active directory 使用集成安全性获取Azure密钥保险库机密,azure-active-directory,adfs,adal,azure-ad-graph-api,azure-keyvault,Azure Active Directory,Adfs,Adal,Azure Ad Graph Api,Azure Keyvault,我看到的所有关于获取访问Azure密钥库的访问令牌的示例都涉及使用ClientId和ClientSecret来请求已知资源的令牌这很好…但我希望能够使用集成安全性来获取访问密钥库的访问令牌例如，我有 const string VaultResource = "https://vault.azure.net"; var context = new AuthenticationContext(myTenantAuthority, false); // using integrated auth

我看到的所有关于获取访问Azure密钥库的访问令牌的示例都涉及使用ClientId和ClientSecret来请求已知资源的令牌

这很好…但我希望能够使用集成安全性来获取访问密钥库的访问令牌

例如，我有

const string VaultResource = "https://vault.azure.net";
var context = new AuthenticationContext(myTenantAuthority, false);

// using integrated auth
var token1 = await context.AcquireTokenAsync(VaultResource, nativeAppClientId, new UserCredential());

// OR interactive
var token2 = context.AcquireToken(VaultResource, nativeAppClientId, new Uri("https://localhost"), 
     PromptBehavior.Auto, new UserIdentifier(UserPrincipal.Current.UserPrincipalName, UserIdentifierType.RequiredDisplayableId));

这两次尝试都失败了。第一个说

Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException occurred
  ErrorCode=invalid_grant
  HResult=-2146233088
  Message=AADSTS65001: The user or administrator has not consented to use the application with ID '306d0ff4-0f32-4c38-bdb9-4ea500000000'. Send an interactive authorization request for this user and resource.
Trace ID: 2ca2fb3f-3931-4868-b176-700f29158a3a
Correlation ID: 39875bc5-cb1c-4a62-925d-7448d8716f30
Timestamp: 2016-02-23 08:51:45Z
  Source=Microsoft.IdentityModel.Clients.ActiveDirectory
  StatusCode=400
  StackTrace:
       at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpHelper.<SendPostRequestAndDeserializeJsonResponseAsync>d__0`1.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.<SendHttpMessageAsync>d__15.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

如何更新requiredResourceAccessList

更新：以下是应用程序的配置方式

您可能需要设置委派权限。看看这里

也可以考虑使用证书进行身份验证。请参见

问题在于我无法将密钥库添加为应用程序可能您只需要授予“Windows Azure Active Directory”的权限？您可能对此感兴趣：

Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException occurred
  ErrorCode=access_denied
  HResult=-2146233088
  Message=AADSTS65005: The client application has requested access to resource 'https://vault.azure.net'. This request has failed because the client has not specified this resource in its requiredResourceAccess list.
Trace ID: 5652658c-54bf-4880-bcc8-dea822a4b10b
Correlation ID: 1f97c7c0-858f-4542-9936-4a5114a93cc0
Timestamp: 2016-02-23 08:36:17Z
  Source=Microsoft.IdentityModel.Clients.ActiveDirectory
  StatusCode=0
  StackTrace:
       at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RunAsyncTask[T](Task`1 task)