「ASP.NET Core Blazor WebAssembly でホストされるアプリを Azure Active Directory でセキュリティ保護する」のアプリ登録をコマンドで。
サーバー API アプリの登録。
# Create Application Object $app = az ad app create --display-name "Blazor Server AAD" # Get Application ID $appId = ($app | ConvertFrom-Json).appId # Create Service Principal az ad sp create --id $appId # 既定のスコープを削除 $oauth2Permissions = ($app | ConvertFrom-Json).oauth2Permissions $oauth2Permissions[0].isEnabled = $false $oauth2Permissions = ConvertTo-Json -InputObject @($oauth2Permissions) $oauth2Permissions | Out-File -FilePath .\oauth2Permissions.json az ad app update --id $appId --set oauth2Permissions=`@oauth2Permissions.json az ad app update --id $appId --set oauth2Permissions="[]" Remove-Item -Path .\oauth2Permissions.json # アプリケーションIDのURIを追加 az ad app update --id $appId --identifier-uris "api://$appId" # スコープを追加 $oauth2Permissions = @{ adminConsentDescription = "Allows the app to access server app API" adminConsentDisplayName = "Access API" id = (New-Guid).Guid isEnabled = $true type = "Admin" userConsentDescription = "" userConsentDisplayName = "" value = "API.Access" } $oauth2Permissions = ConvertTo-Json -InputObject @($oauth2Permissions) $oauth2Permissions | Out-File -FilePath .\oauth2Permissions.json az ad app update --id $appId --set oauth2Permissions=`@oauth2Permissions.json Remove-Item -Path .\oauth2Permissions.json
クライアントアプリの登録。
# Create Application Object $app = az ad app create --display-name "Blazor Client AAD" # Get Application ID & Object ID $appId = ($app | ConvertFrom-Json).appId $objectId = ($app | ConvertFrom-Json).objectId # Create Service Principal az ad sp create --id $appId # 既定のスコープを削除 $oauth2Permissions = ($app | ConvertFrom-Json).oauth2Permissions $oauth2Permissions[0].isEnabled = $false $oauth2Permissions = ConvertTo-Json -InputObject @($oauth2Permissions) $oauth2Permissions | Out-File -FilePath .\oauth2Permissions.json az ad app update --id $appId --set oauth2Permissions=`@oauth2Permissions.json az ad app update --id $appId --set oauth2Permissions="[]" Remove-Item -Path .\oauth2Permissions.json # アクセストークンを取得する $response = az account get-access-token --resource-type ms-graph | ConvertFrom-Json $accessToken = $response.accesstoken $headers = @{"Authorization" = "Bearer $accessToken"; "Content-Type" = "application/json" } # SPA のリダイレクトURLを設定する $body = @{ spa = @{ redirectUris = @( "https://localhost:5001/authentication/login-callback" ) } } | ConvertTo-Json Invoke-RestMethod -Method Patch -Uri https://graph.microsoft.com/v1.0/applications/$objectId -Headers $headers -Body $body # 暗黙的な許可を無効にする $body = @{ web = @{ implicitGrantSettings = @{ enableAccessTokenIssuance = $false enableIdTokenIssuance = $false } } } | ConvertTo-Json Invoke-RestMethod -Method Patch -Uri https://graph.microsoft.com/v1.0/applications/$objectId -Headers $headers -Body $body # アクセス許可を付与する $apiName = "Microsoft Graph" $permissionType = "Scope" $permissionName = "User.Read" $apiServicePrincipal = az ad sp list --filter "displayname eq '$apiName'" | ConvertFrom-Json $apiPermission = $apiServicePrincipal.oauth2Permissions | Where-Object { $_.value -eq $permissionName } az ad app permission add --id $appId --api $apiServicePrincipal.appId --api-permissions "$($apiPermission.id)=$permissionType" # アクセス許可を付与する $apiName = "Blazor Server AAD" $permissionType = "Scope" $permissionName = "API.Access" $apiServicePrincipal = az ad sp list --filter "displayname eq '$apiName'" | ConvertFrom-Json $apiPermission = $apiServicePrincipal.oauth2Permissions | Where-Object { $_.value -eq $permissionName } az ad app permission add --id $appId --api $apiServicePrincipal.appId --api-permissions "$($apiPermission.id)=$permissionType" # 管理者の同意を与える az ad app permission grant --id $appId --api $apiServicePrincipal.appId --scope $permissionName
