调用 Web API 的 Web API:代码配置A web API that calls web APIs: Code configuration

注册 Web API 后,可以配置应用程序的代码。After you've registered your web API, you can configure the code for the application.

用于配置 Web API 的代码,配置后它就可以调用下游 Web API,而后者又基于用来保护 Web API 的代码。The code that you use to configure your web API so that it calls downstream web APIs builds on top of the code that's used to protect a web API. 有关详细信息,请参阅受保护的 Web API:应用配置For more information, see Protected web API: App configuration.

客户端密码或客户端证书Client secrets or client certificates

鉴于 Web API 现在调用了下游 Web API,你需要在 appsettings.json 文件中提供客户端密码或客户端证书。Given that your web API now calls a downstream web API, you need to provide a client secret or client certificate in the appsettings.json file.

{
  "AzureAd": {
    "Instance": "https://login.partner.microsoftonline.cn/",
    "ClientId": "[Client_id-of-web-api-eg-2ec40e65-ba09-4853-bcde-bcb60029e596]",
    "TenantId": "common"
  
   // To call an API
   "ClientSecret": "[Copy the client secret added to the app from the Azure portal]",
   "ClientCertificates": [
  ]
 }
}

你可以提供客户端证书,而不是客户端密码。Instead of a client secret, you can provide a client certificate. 以下代码片段演示如何使用存储在 Azure Key Vault 中的证书。The following code snippet shows using a certificate stored in Azure Key Vault.

{
  "AzureAd": {
    "Instance": "https://login.partner.microsoftonline.cn/",
    "ClientId": "[Client_id-of-web-api-eg-2ec40e65-ba09-4853-bcde-bcb60029e596]",
    "TenantId": "common"
  
   // To call an API
   "ClientCertificates": [
      {
        "SourceType": "KeyVault",
        "KeyVaultUrl": "https://msidentitywebsamples.vault.azure.cn",
        "KeyVaultCertificateName": "MicrosoftIdentitySamplesCert"
      }
  ]
 }
}

Microsoft.Identity.Web 提供了多种通过配置或代码描述证书的方法。Microsoft.Identity.Web provides several ways to describe certificates, both by configuration or by code. 有关详细信息,请参阅 GitHub 上的 Microsoft.Identity.Web wiki - 使用证书For details, see Microsoft.Identity.Web wiki - Using certificates on GitHub.

Startup.csStartup.cs

使用 Microsoft.Identity.Web 时,如果你希望使 Web API 调用下游 Web API,请在 .AddMicrosoftIdentityWebApi(Configuration) 之后添加 .EnableTokenAcquisitionToCallDownstreamApi() 行,然后在 Startup.cs 中选择令牌缓存实现,例如 .AddInMemoryTokenCaches()Using Microsoft.Identity.Web, if you want your web API to call downstream web APIs, add the .EnableTokenAcquisitionToCallDownstreamApi() line after .AddMicrosoftIdentityWebApi(Configuration), and then choose a token cache implementation, for example .AddInMemoryTokenCaches(), in Startup.cs:

using Microsoft.Identity.Web;

public class Startup
{
  ...
  public void ConfigureServices(IServiceCollection services)
  {
   // ...
    services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
            .AddMicrosoftIdentityWebApi(Configuration, "AzureAd")
                .EnableTokenAcquisitionToCallDownstreamApi()
                .AddInMemoryTokenCaches();
  // ...
  }
  // ...
}

与 Web 应用一样,你可以选择各种令牌缓存实现。As with web apps, you can choose various token cache implementations. 有关详细信息,请参阅 GitHub 上的 Microsoft 标识 Web wiki - 令牌缓存序列化For details, see Microsoft identity web wiki - Token cache serialization on GitHub.

也可以参阅 Node.js 和 Azure Functions 中的 OBO 流实现示例。You can also see an example of OBO flow implementation in Node.js and Azure Functions.

协议Protocol

有关 OBO 协议的详细信息,请参阅 Microsoft 标识平台和 OAuth 2.0 代理流For more information about the OBO protocol, see Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow.

后续步骤Next steps