问题
To automate maintenance of an Azure Digital Twins instance, we require service-to-service API access so that we can use Azure middle-tier options to run as daemon apps (e.g. Logic App or Function).
However, the Azure Digitial Twins 'preview' API (resource id: 0b07f429-9f4b-4714-9392-cc5e8e80c8b0) does not support Application Permissions when registering the application in Azure Active Directory (only Delegated Permissions). However, the related Microsoft Graph API (resource id: 00000003-0000-0000-c000-000000000000) supports both permission types.
Is there any way currently to authenticate for access to the Azure Digital Twins API without the need for a signed-in AAD account (i.e. using 'client_credentials' grant type)?
回答1:
To use client credential flow, you need the Application permission. If there is just Delegated Permission defined in the API, you could just access the API with a signed-in user account, e.g. authorization code flow.
In your case, the option is On-Behalf-Of flow.
The user authenticate with the middle-tier application with authorization code flow or another login flow
An OAuth 2.0 On-Behalf-Of token is acquired during authentication
The acquired token is then used to authenticate with or call APIs that are further downstream using the On-Behalf-Of flow
For more details, check this doc - Call Digital Twins from a middle-tier web API.
来源:https://stackoverflow.com/questions/60311384/is-it-possible-to-configure-azure-digital-twins-api-access-for-a-daemon-app