合作伙伴中心身份验证Partner Center authentication

适用对象:Applies to:

  • 合作伙伴中心Partner Center
  • 由世纪互联运营的合作伙伴中心Partner Center operated by 21Vianet
  • 德国 Microsoft 云合作伙伴中心Partner Center for Microsoft Cloud Germany
  • Microsoft Cloud for US Government 合作伙伴中心Partner Center for Microsoft Cloud for US Government

合作伙伴中心使用 Azure Active Directory 进行身份验证。Partner Center uses Azure Active Directory for authentication. 与合作伙伴中心 API、SDK 或 PowerShell 模块交互时,必须正确配置 Azure AD 应用程序,然后请求访问令牌。When interacting with the Partner Center API, SDK, or PowerShell module you must correctly configure an Azure AD application and then request an access token. 通过“仅应用”或“应用 + 用户”身份验证获取的访问令牌可与合作伙伴中心配合使用。Access tokens obtained using app only or app + user authentication can be used with the Partner Center. 但是,有两个需要考虑的重要事项However, there are two important items that need to be considered

  • 使用“应用 + 用户”身份验证访问合作伙伴中心 API 时,使用多重身份验证。Use multi-factor authentication when accessing the Partner Center API using app + user authentication. 有关此更改的详细信息,请参阅启用安全应用程序模型For more information regarding this change, see Enable secure application model.

  • 合作伙伴中心 API 的操作中,并非所有操作都支持“仅应用”身份验证。Not all of the operations the Partner Center API support app only authentication. 在某些情况下,需要使用“应用 + 用户”身份验证。There are certain scenarios where you'll be required to use app + user authentication. 在每篇方案文章的“先决条件” 标题下,你都会看到有关支持“仅应用”身份验证、“应用 + 用户”身份验证,还是两者都支持的说明文档。Under the Prerequisites heading on each Scenario article, you'll find documentation that states whether app only authentication, app + user authentication, or both are supported.

初始设置Initial setup

  1. 若要开始,需确保有一个伙伴中心主帐户和一个集成沙盒合作伙伴中心帐户。To begin, you need to make sure that you have both a primary Partner Center account, and an integration sandbox Partner Center account. 有关详细信息,请参阅设置用于 API 访问的合作伙伴中心帐户For more information, see Set up Partner Center accounts for API access. 请记下主帐户和集成沙盒帐户的 Azure AAD 应用注册 ID 和机密(“仅应用”标识要求使用客户端机密)。Make note of the Azure AAD App registration ID and Secret (client secret is required for App only identification) for both your primary account and your integration sandbox account.

  2. 从 Azure 门户登录到 Azure AD。Sign in to Azure AD from the Azure portal. 在“对其他应用程序的权限”中,将 Windows Azure Active Directory 的权限设置为“委托权限” ,并选择“以已登录用户的身份访问目录”和“登录并读取用户配置文件” 。 In permissions to other applications, set permissions for Windows Azure Active Directory to Delegated Permissions, and select both Access the directory as the signed-in user and Sign in and read user profile.

  3. 在 Azure 门户中,选择“添加应用程序” 。In the Azure portal, Add application. 搜索“Microsoft 合作伙伴中心”,即 Microsoft 合作伙伴中心应用程序。Search for "Microsoft Partner Center", which is the Microsoft Partner Center application. 将“委托权限”设置为“访问合作伙伴中心 API”。 Set the Delegated Permissions to Access Partner Center API. 如果使用德国 Microsoft 云合作伙伴中心或 Microsoft Cloud for US Government 合作伙伴中心,则此步骤是必需的。If you are using Partner Center for Microsoft Cloud Germany or Partner Center for Microsoft Cloud for US Government, this step is mandatory. 如果使用合作伙伴中心全局实例,则此步骤是可选的。If you are using Partner Center global instance, this step is optional. CSP 合作伙伴可以使用合作伙伴中心门户中的应用管理功能来绕过合作伙伴中心全局实例的此步骤。CSP Partners can use the App Management feature in the Partner Center portal to bypass this step for Partner Center global instance.

“仅应用”身份验证App-only authentication

若要使用“仅应用”身份验证来访问合作伙伴中心 REST API、.NET API、Java API 或 PowerShell 模块,则可按照以下说明来实现此目的。If you would like to use app-only authentication to access the Partner Center REST API, .NET API, Java API, or PowerShell module then you can do so by leveraging the following instructions.

.NET(“仅应用”身份验证).NET (app-only authentication)

public static IAggregatePartner GetPartnerCenterTokenUsingAppCredentials()
{
    IPartnerCredentials partnerCredentials =
        PartnerCredentials.Instance.GenerateByApplicationCredentials(
            PartnerApplicationConfiguration.ApplicationId,
            PartnerApplicationConfiguration.ApplicationSecret,
            PartnerApplicationConfiguration.ApplicationDomain);

    // Create operations instance with partnerCredentials.
    return PartnerService.Instance.CreatePartnerOperations(partnerCredentials);
}

Java(“仅应用”身份验证)Java (app-only authentication)

合作伙伴通常使用合作伙伴中心 Java SDK 来管理其合作伙伴中心资源。The Partner Center Java SDK is commonly used by partners to manage their Partner Center resources. 它是由合作伙伴社区维护的开源项目。It's an open-source project maintained by the partner community. 由于此模块由合作伙伴社区维护,因此 Microsoft 不提供官方支持。Since this module is maintained by the partner community, it isn't officially supported by Microsoft. 如果遇到问题,可以从社区获取帮助在 GitHub 上创建问题You can get help from the community or open an issue on GitHub if you experience a problem.

public IAggregatePartner getAppPartnerOperations()
{
    IPartnerCredentials appCredentials =
        PartnerCredentials.getInstance().generateByApplicationCredentials(
        PartnerApplicationConfiguration.getApplicationId(),
        PartnerApplicationConfiguration.getApplicationSecret(),
        PartnerApplicationConfiguration.getApplicationDomain());

    return PartnerService.getInstance().createPartnerOperations( appCredentials );
}

REST(“仅应用”身份验证)REST (app-only authentication)

REST 请求REST request

POST https://login.microsoftonline.com/{tenantId}/oauth2/token HTTP/1.1
Accept: application/json
return-client-request-id: true
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Host: login.microsoftonline.com
Content-Length: 194
Expect: 100-continue

resource=https%3A%2F%2Fgraph.windows.net&client_id={client-id-here}&client_secret={client-secret-here}&grant_type=client_credentials

REST 响应REST response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Content-Length: 1406

{"token_type":"Bearer","expires_in":"3600","ext_expires_in":"3600","expires_on":"1546469802","not_before":"1546465902","resource":"https://graph.windows.net","access_token":"value-has-been-removed"}

“应用 + 用户”身份验证App + User authentication

以前一直在使用资源所有者密码凭据授予来请求可以与合作伙伴中心 REST API、.NET API、Java API 或 PowerShell 模块配合使用的访问令牌。Historically the resource owner password credentials grant has been used to request an access token for use with the Partner Center REST API, .NET API, Java API, or PowerShell module. 该方式用于使用客户端标识符和用户凭据从 Azure Active Directory 请求访问令牌。That method was used to request an access token from Azure Active Directory using a client identifier and user credentials. 但是,此方法将不再有效,因为合作伙伴中心要求在使用“应用 + 用户”身份验证时使用多重身份验证。However, this approach will no longer work because Partner Center requires multi-factor authentication, when using app + user authentication. Microsoft 根据该要求引入了一个安全且可缩放的框架,用于对使用多重身份验证的云解决方案提供商 (CSP) 合作伙伴和控制面板供应商 (CPV) 进行身份验证。To comply with this requirement Microsoft has introduced a secure, scalable framework for authenticating Cloud Solution Provider (CSP) partners and control panel vendors (CPV) using multi-factor authentication. 此框架称为安全应用程序模型,它包含一个许可过程,以及一个使用刷新令牌请求访问令牌时的请求。This framework is known as the Secure Application Model, and it is composed of a consent process and a request for an access token using a refresh token.

合作伙伴许可过程是一个交互过程。在此过程中,合作伙伴会使用多重身份验证进行身份验证,对应用程序进行许可,并会将刷新令牌存储在安全的存储库(例如 Azure Key Vault)中。The partner consent process is an interactive process where the partner authenticates using multi-factor authentication, consents to the application, and a refresh token is stored in a secure repository such as Azure Key Vault. 建议将专用于集成的帐户用于此过程。We recommend that a dedicated account for integration purposes be used for this process.

重要

应该为合作伙伴许可过程中使用的服务帐户启用适当的多重身份验证解决方案。The appropriate multi-factor authentication solution should be enabled for the service account used in the partner consent process. 否则,生成的刷新令牌会不符合安全要求。If it isn't then the resulting refresh token will not be compliant with security requirements.

“应用 + 用户”身份验证示例Samples for App + User authentication

可以通过多种方式执行合作伙伴许可过程。The partner consent process can be performed in a number of ways. 为了帮助合作伙伴了解如何执行每项必需的操作,我们开发了以下示例。To help partners understand how to perform each required operation, we have developed the following samples. 在环境中实现相应的解决方案时,务必开发符合编码标准和安全策略的解决方案。When you implement the appropriate solution in your environment, it is important that you develop a solution that is complaint with your coding standards and security policies.

.NET(“应用+用户”身份验证).NET (app+user authentication)

合作伙伴许可示例项目演示了如何利用通过 ASP.NET 开发的网站来捕获许可、请求刷新令牌并将其安全地存储在 Azure Key Vault 中。The partner consent sample project demonstrates how to utilize a website developed using ASP.NET to capture consent, request a refresh token, and securely store it in Azure Key Vault. 请执行以下步骤,为本示例创建所需的先决条件。Perform the following steps to create the required prerequisites for this sample.

  1. 使用 Azure 门户或以下 PowerShell 命令创建 Azure Key Vault 的实例。Create an instance of Azure Key Vault using the Azure portal or the following PowerShell commands. 执行命令前,请确保相应地修改参数值。Before executing the command, be sure to modify the parameter values accordingly. 保管库名称必须独一无二。The vault name must be unique.

    Login-AzureRmAccount
    
    # Create a new resource group
    New-AzureRmResourceGroup -Name ContosoResourceGroup -Location EastUS
    
    New-AzureRmKeyVault -Name 'Contoso-Vault' -ResourceGroupName 'ContosoResourceGroup' -Location 'East US'
    

    有关创建 Azure Key Vault 的详细信息,请参阅快速入门:使用 Azure 门户在 Azure Key Vault 中设置和检索机密快速入门:使用 PowerShell 在 Azure Key Vault 中设置和检索机密For more information about creating an Azure Key Vault, see Quickstart: Set and retrieve a secret from Azure Key Vault using the Azure portal or Quickstart: Set and retrieve a secret from Azure Key Vault using PowerShell. 然后设置并检索机密。Then set and retrieve a secret.

  2. 使用 Azure 门户或以下命令创建 Azure AD 应用程序和密钥。Create an Azure AD Application and a key using the Azure portal or the following commands.

    Connect-AzureAD
    
    $SessionInfo = Get-AzureADCurrentSessionInfo
    
    $app = New-AzureADApplication -DisplayName 'My Vault Access App' -IdentifierUris 'https://$($SessionInfo.TenantDomain)/$((New-Guid).ToString())'
    $password = New-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId
    
    Write-Host "ApplicationId       = $($app.AppId)"
    Write-Host "ApplicationSecret   = $($password.Value)"
    

    请确保记下应用程序标识符和机密值,因为在下面的步骤中会用到它们。Be sure to make note of the application identifier and secret values because they'll be used in the steps below.

  3. 使用 Azure 门户或以下命令,为新建的 Azure AD 应用程序授予读取机密权限。Grant the newly create Azure AD application the read secrets permissions using the Azure portal or the following commands.

    $app = Get-AzureADApplication -Filter {AppId -eq 'ENTER-APP-ID-HERE'}
    
    Set-AzureRmKeyVaultAccessPolicy -VaultName ContosoVault -ObjectId $app.ObjectId -PermissionsToSecrets get
    
  4. 创建为合作伙伴中心配置的 Azure AD 应用程序。Create an Azure AD application that is configured for Partner Center. 执行以下操作,完成此步骤。Perform the following actions to complete this step.

    • 浏览到合作伙伴中心仪表板的应用管理功能Browse to the App management feature of the Partner Center Dashboard
    • 单击“添加新的 Web 应用”,创建新的 Azure AD 应用程序。 Click Add new web app to create a new Azure AD application.

    请确保记录应用 ID 、帐户 ID ***和密钥 值,因为在下面的步骤中会用到它们。Be sure to document the App ID, *Account ID**, and Key values because they'll be used in the steps below.

  5. 使用 Visual Studio 或以下命令克隆 Partner-Center-DotNet-Samples 存储库。Clone the Partner-Center-DotNet-Samples repository using Visual Studio or the following command.

    git clone https://github.com/Microsoft/Partner-Center-DotNet-Samples.git
    
  6. 打开在 Partner-Center-DotNet-Samples\secure-app-model\keyvault 目录中找到的 PartnerConsent 项目。Open the PartnerConsent project found in the Partner-Center-DotNet-Samples\secure-app-model\keyvault directory.

  7. 填充在 web.config 中找到的应用程序设置Populate the application settings found in the web.config

    <!-- AppID that represents CSP application -->
    <add key="ida:CSPApplicationId" value="" />
    <!--
        Please use certificate as your client secret and deploy the certificate to your environment.
        The following application secret is for sample application only. please do not use secret directly from the config file.
    -->
    <add key="ida:CSPApplicationSecret" value="" />
    
    <!--
        Endpoint address for the instance of Azure KeyVault. This is
        the DNS Name for the instance of Key Vault that you provisioned.
     -->
    <add key="KeyVaultEndpoint" value="" />
    
    <!-- App ID that is given access for KeyVault to store refresh tokens -->
    <add key="ida:KeyVaultClientId" value="" />
    
    <!--
        Please use certificate as your client secret and deploy the certificate
        to your environment. The following application secret is for sample
        application only. please do not use secret directly from the config file.
    -->
    <add key="ida:KeyVaultClientSecret" value="" />
    

    重要

    敏感信息(如应用程序机密)不应存储在配置文件中。Sensitive information such as application secrets should not be stored in configuration files. 在这里这样做是因为这是一个示例应用程序。It was done here because this is a sample application. 对于生产应用程序,强烈建议使用基于证书的身份验证。With your production application we strongly recommend that you use certificate-based authentication. 有关详细信息,请参阅用于应用程序身份验证的证书凭据For more information, see Certificate credentials for application authentication.

  8. 当你运行此示例项目时,它会提示你进行身份验证。When you run this sample project, it will prompt you for authentication. 成功进行身份验证后,系统会从 Azure AD 请求一个访问令牌。After successfully authenticating, an access token is requested from Azure AD. 从 Azure AD 返回的信息包括刷新令牌,该令牌存储在经过配置的 Azure Key Vault 实例中。The information returned from Azure AD includes a refresh token that is stored in the configured instance of Azure Key Vault.

Java(“应用+用户”身份验证)Java (app+user authentication)

合作伙伴许可示例项目演示了如何利用通过 JSP 开发的网站来捕获许可、请求刷新令牌并将其安全地存储在 Azure Key Vault 中。The partner consent sample project demonstrates how to utilize a website developed using JSP to capture consent, request a refresh token, and secure store in Azure Key Vault. 请执行以下步骤,为本示例创建所需的先决条件。Perform the following to create the required prerequisites for this sample.

  1. 使用 Azure 门户或以下 PowerShell 命令创建 Azure Key Vault 的实例。Create an instance of Azure Key Vault using the Azure portal or the following PowerShell commands. 执行命令前,请确保相应地修改参数值。Before executing the command, be sure to modify the parameter values accordingly. 保管库名称必须独一无二。The vault name must be unique.

    Login-AzureRmAccount
    
    # Create a new resource group
    New-AzureRmResourceGroup -Name ContosoResourceGroup -Location EastUS
    
    New-AzureRmKeyVault -Name 'Contoso-Vault' -ResourceGroupName 'ContosoResourceGroup' -Location 'East US'
    

    有关创建 Azure Key Vault 的详细信息,请参阅快速入门:使用 Azure 门户在 Azure Key Vault 中设置和检索机密快速入门:使用 PowerShell 在 Azure Key Vault 中设置和检索机密For more information about creating an Azure Key Vault, see Quickstart: Set and retrieve a secret from Azure Key Vault using the Azure portal or Quickstart: Set and retrieve a secret from Azure Key Vault using PowerShell.

  2. 使用 Azure 门户或以下命令创建 Azure AD 应用程序和密钥。Create an Azure AD Application and a key using the Azure portal or the following commands.

    Connect-AzureAD
    
    $SessionInfo = Get-AzureADCurrentSessionInfo
    
    $app = New-AzureADApplication -DisplayName 'My Vault Access App' -IdentifierUris 'https://$($SessionInfo.TenantDomain)/$((New-Guid).ToString())'
    $password = New-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId
    
    Write-Host "ApplicationId       = $($app.AppId)"
    Write-Host "ApplicationSecret   = $($password.Value)"
    

    请确保记录应用程序标识符和机密值,因为在下面的步骤中会用到它们。Be sure to document the application identifier and secret values because they'll be used in the steps below.

  3. 使用 Azure 门户或以下命令,为新建的 Azure AD 应用程序授予读取机密权限。Grant the newly created Azure AD application the read secrets permissions using the Azure portal or the following commands.

    $app = Get-AzureADApplication -Filter {AppId -eq 'ENTER-APP-ID-HERE'}
    
    Set-AzureRmKeyVaultAccessPolicy -VaultName ContosoVault -ObjectId $app.ObjectId -PermissionsToSecrets get
    
  4. 创建为合作伙伴中心配置的 Azure AD 应用程序。Create an Azure AD application that is configured for Partner Center. 执行以下操作,完成此步骤。Perform the following to complete this step.

    • 浏览到合作伙伴中心仪表板的应用管理功能Browse to the App management feature of the Partner Center Dashboard
    • 单击“添加新的 Web 应用”,创建新的 Azure AD 应用程序。 Click Add new web app to create a new Azure AD application.

    请确保记录应用 ID 、帐户 ID ***和密钥 值,因为在下面的步骤中会用到它们。Be sure to document the App ID, *Account ID**, and Key values because they'll be used in the steps below.

  5. 使用以下命令克隆 Partner-Center-Java-Samples 存储库Clone the Partner-Center-Java-Samples repository using the following command

    git clone https://github.com/Microsoft/Partner-Center-Java-Samples.git
    
  6. 打开在 Partner-Center-Java-Samples\secure-app-model\keyvault 目录中找到的 PartnerConsent 项目。Open the PartnerConsent project found in the Partner-Center-Java-Samples\secure-app-model\keyvault directory.

  7. 填充在 web.xml 文件中找到的应用程序设置Populate the application settings found in the web.xml file

    <filter>
        <filter-name>AuthenticationFilter</filter-name>
        <filter-class>com.microsoft.store.samples.partnerconsent.security.AuthenticationFilter</filter-class>
        <init-param>
            <param-name>client_id</param-name>
            <param-value></param-value>
        </init-param>
        <init-param>
            <param-name>client_secret</param-name>
            <param-value></param-value>
        </init-param>
        <init-param>
            <param-name>keyvault_base_url</param-name>
            <param-value></param-value>
        </init-param>
        <init-param>
            <param-name>keyvault_client_id</param-name>
            <param-value></param-value>
        </init-param>
        <init-param>
            <param-name>keyvault_client_secret</param-name>
            <param-value></param-value>
        </init-param>
        <init-param>
            <param-name>keyvault_certifcate_path</param-name>
            <param-value></param-value>
        </init-param>
    </filter>
    

    重要

    敏感信息(如应用程序机密)不应存储在配置文件中。Sensitive information such as application secrets should not be stored in configurations files. 在这里这样做是因为这是一个示例应用程序。It was done here because this is a sample application. 对于生产应用程序,强烈建议使用基于证书的身份验证。With your production application, we strongly recommend that you use certificate based authenticate. 有关详细信息,请参阅 Key Vault 证书身份验证For more information, see Key Vault Certificate authentication.

  8. 当你运行此示例项目时,它会提示你进行身份验证。When you run this sample project, it will prompt you for authentication. 成功进行身份验证后,系统会从 Azure AD 请求一个访问令牌。After successfully authenticating, an access token is requested from Azure AD. 从 Azure AD 返回的信息包括刷新令牌,该令牌存储在经过配置的 Azure Key Vault 实例中。The information returned from Azure AD includes a refresh token that is stored in the configured instance of Azure Key Vault.

云解决方案提供商身份验证Cloud Solution Provider authentication

云解决方案提供商合作伙伴可以使用通过合作伙伴许可过程获得的刷新令牌。Cloud Solution Provider partners can use the refresh token obtained through the partner consent process.

云解决方案提供商身份验证示例Samples for Cloud Solution Provider authentication

为了帮助合作伙伴了解如何执行每项必需的操作,我们开发了以下示例。To help partners understand how to perform each required operation, we have developed the following samples. 在环境中实现相应的解决方案时,务必开发符合编码标准和安全策略的解决方案。When you implement the appropriate solution in your environment, it is important that you develop a solution that is complaint with your coding standards and security policies.

.NET(CSP 身份验证).NET (CSP authentication)

  1. 执行合作伙伴许可过程(如果尚未这样做)。If you have not already done so, perform the partner consent process.

  2. 使用 Visual Studio 或以下命令克隆 Partner-Center-DotNet-Samples 存储库Clone the Partner-Center-DotNet-Samples repository using Visual Studio or the following command

    git clone https://github.com/Microsoft/Partner-Center-DotNet-Samples.git
    
  3. 打开在 Partner-Center-DotNet-Samples\secure-app-model\keyvault 目录中找到的 CSPApplication 项目。Open the CSPApplication project found in the Partner-Center-DotNet-Samples\secure-app-model\keyvault directory.

  4. 更新在 App.config 文件中找到的应用程序设置。Update the application settings found in the App.config file.

    <!-- AppID that represents CSP application -->
    <add key="ida:CSPApplicationId" value="" />
    <!--
        Please use certificate as your client secret and deploy the certificate to your environment.
        The following application secret is for sample application only. please do not use secret directly from the config file.
    -->
    <add key="ida:CSPApplicationSecret" value="" />
    
    <!-- Endpoint address for the instance of Azure KeyVault -->
    <add key="KeyVaultEndpoint" value="" />
    
    <!-- AppID that is given access for keyvault to store the refresh tokens -->
    <add key="ida:KeyVaultClientId" value="" />
    
    <!--
        Please use certificate as your client secret and deploy the certificate to your environment.
        The following application secret is for sample application only. please do not use secret directly from the config file.
    -->
    <add key="ida:KeyVaultClientSecret" value="" />
    
  5. 为在 Program.cs 文件中发现的 PartnerIdCustomerId 变量设置适当的值。Set the appropriate values for the PartnerId and CustomerId variables found in the Program.cs file.

    // The following properties indicate which partner and customer context the calls are going to be made.
    string PartnerId = "<Partner tenant id>";
    string CustomerId = "<Customer tenant id>";
    
  6. 运行此示例项目时,它会获取在合作伙伴许可过程中获取的刷新令牌。When you run this sample project, it obtains the refresh token obtained during the partner consent process. 然后,它会请求一个代表合作伙伴与合作伙伴中心 SDK 交互的访问令牌。Then, it requests an access token to interact with the Partner Center SDK on the partner's behalf. 最后,它会请求一个代表指定的客户与 Microsoft Graph 交互的访问令牌。Finally, it requests an access token to interact with Microsoft Graph on behalf of the specified customer.

Java(CSP 身份验证)Java (CSP authentication)

  1. 执行合作伙伴许可过程(如果尚未这样做)。If you have not done so already, perform the partner consent process.

  2. 使用 Visual Studio 或以下命令克隆 Partner-Center-Java-Samples 存储库Clone the Partner-Center-Java-Samples repository using Visual Studio or the following command

    git clone https://github.com/Microsoft/Partner-Center-Java-Samples.git
    
  3. 打开在 Partner-Center-Java-Samples\secure-app-model\keyvault 目录中找到的 cspsample 项目。Open the cspsample project found in the Partner-Center-Java-Samples\secure-app-model\keyvault directory.

  4. 更新在 application.properties 文件中找到的应用程序设置。Update the application settings found in the application.properties file.

    azuread.authority=https://login.microsoftonline.com
    keyvault.baseurl=
    keyvault.clientId=
    keyvault.clientSecret=
    partnercenter.accountId=
    partnercenter.clientId=
    partnercenter.clientSecret=
    
  5. 运行此示例项目时,它会获取在合作伙伴许可过程中获取的刷新令牌。When you run this sample project, it obtains the refresh token obtained during the partner consent process. 然后,它会请求一个代表合作伙伴与合作伙伴中心 SDK 交互的访问令牌。Then, it requests an access token to interact with the Partner Center SDK on the partner's behalf.

  6. 可选 - 若要了解如何代表客户与 Azure 资源管理器和 Microsoft Graph 交互,请取消注释 RunAzureTask 和 RunGraphTask 函数调用。Optional - uncomment the RunAzureTask and RunGraphTask function calls if you want to see how to interact with Azure Resource Manager and Microsoft Graph on behalf of the customer.

控制面板提供商身份验证Control Panel Provider authentication

控制面板供应商需要让其支持的每个合作伙伴都执行合作伙伴许可过程。Control panel vendors need to have each partner they support perform the partner consent process. 完成该操作后,需使用通过该过程获取的刷新令牌来访问合作伙伴中心 REST API 和 .NET API。Once that is completed the refresh token obtained through that process is used to access the Partner Center REST API and .NET API.

云面板提供商身份验证示例Samples for Cloud Panel Provider authentication

为了帮助控制面板供应商了解如何执行每项必需的操作,我们开发了以下示例。To help control panel vendors understand how to perform each required operation, we have developed the following samples. 在环境中实现相应的解决方案时,务必开发符合编码标准和安全策略的解决方案。When you implement the appropriate solution in your environment, it is important that you develop a solution that is complaint with your coding standards and security policies.

.NET(CPV 身份验证).NET (CPV authentication)

  1. 为云解决方案提供商合作伙伴开发和部署提供相应许可所需的流程。Develop and deploy a process for Cloud Solution Provider partners to provide the appropriate consent. 有关详细信息及示例,请参阅合作伙伴同意For more information an example, see partner consent.

    重要

    不应存储来自云解决方案提供商合作伙伴的用户凭据。User credentials from a Cloud Solution Provider partner should not be stored. 应该存储通过合作伙伴许可过程获得的刷新令牌,并使用该令牌来请求与任何 Microsoft API 交互所需的访问令牌。The refresh token obtained through the partner consent process should be stored and used to request access tokens for interacting with any Microsoft API.

  2. 使用 Visual Studio 或以下命令克隆 Partner-Center-DotNet-Samples 存储库Clone the Partner-Center-DotNet-Samples repository using Visual Studio or the following command

    git clone https://github.com/Microsoft/Partner-Center-DotNet-Samples.git
    
  3. 打开在 Partner-Center-DotNet-Samples\secure-app-model\keyvault 目录中找到的 CPVApplication 项目。Open the CPVApplication project found in the Partner-Center-DotNet-Samples\secure-app-model\keyvault directory.

  4. 更新在 App.config 文件中找到的应用程序设置。Update the application settings found in the App.config file.

    <!-- AppID that represents Control panel vendor application -->
    <add key="ida:CPVApplicationId" value="" />
    
    <!--
        Please use certificate as your client secret and deploy the certificate to your environment.
        The following application secret is for sample application only. please do not use secret directly from the config file.
    -->
    <add key="ida:CPVApplicationSecret" value="" />
    
    <!-- Endpoint address for the instance of Azure KeyVault -->
    <add key="KeyVaultEndpoint" value="" />
    
    <!-- AppID that is given access for keyvault to store the refresh tokens -->
    <add key="ida:KeyVaultClientId" value="" />
    
    <!--
        Please use certificate as your client secret and deploy the certificate to your environment.
        The following application secret is for sample application only. please do not use secret directly from the config file.
    -->
    <add key="ida:KeyVaultClientSecret" value="" />
    
  5. 为在 Program.cs 文件中发现的 PartnerIdCustomerId 变量设置适当的值。Set the appropriate values for the PartnerId and CustomerId variables found in the Program.cs file.

    // The following properties indicate which partner and customer context the calls are going to be made.
    string PartnerId = "<Partner tenant id>";
    string CustomerId = "<Customer tenant id>";
    
  6. 运行此示例项目时,它会获取指定合作伙伴的刷新令牌。When you run this sample project, it obtains the refresh token for the specified partner. 然后,它会请求一个代表合作伙伴访问合作伙伴中心和 Azure AD Graph 的访问令牌。Then, it requests an access token to access Partner Center and Azure AD Graph on behalf of the partner. 它执行的下一个任务是删除和创建授予客户租户的权限。The next task it performs is the deletion and creation of permission grants into the customer tenant. 由于控制面板供应商和客户之间不存在任何关系,因此需要使用合作伙伴中心 API 添加这些权限。Since there's no relationship between the control panel vendor and the customer, these permissions need to be added using the Partner Center API. 以下示例演示如何完成此操作。The following example shows how to accomplish that.

    JObject contents = new JObject
    {
        // Provide your application display name
        ["displayName"] = "CPV Marketplace",
    
        // Provide your application id
        ["applicationId"] = CPVApplicationId,
    
        // Provide your application grants
        ["applicationGrants"] = new JArray(
            JObject.Parse("{\"enterpriseApplicationId\": \"00000002-0000-0000-c000-000000000000\", \"scope\":\"Domain.ReadWrite.All,User.ReadWrite.All,Directory.Read.All\"}"), // for Azure AD Graph access,  Directory.Read.All
            JObject.Parse("{\"enterpriseApplicationId\": \"797f4846-ba00-4fd7-ba43-dac1f8f63013\", \"scope\":\"user_impersonation\"}")) // for Azure Resource Manager access
    };
    
    /**
     * The following steps have to be performed once per customer tenant if your application is
     * a control panel vendor application and requires customer tenant Azure AD Graph access.
     **/
    
    // delete the previous grant into customer tenant
    JObject consentDeletion = await ApiCalls.DeleteAsync(
        tokenPartnerResult.Item1,
        string.Format("https://api.partnercenter.microsoft.com/v1/customers/{0}/applicationconsents/{1}", CustomerId, CPVApplicationId));
    
    // create new grants for the application given the setting in application grants payload.
    JObject consentCreation = await ApiCalls.PostAsync(
        tokenPartnerResult.Item1,
        string.Format("https://api.partnercenter.microsoft.com/v1/customers/{0}/applicationconsents", CustomerId),
        contents.ToString());
    

在建立这些权限后,该示例将使用 Azure AD Graph 代表客户执行操作。After these permissions have been established, the sample performs operations using Azure AD Graph on behalf of the customer.

Java(CPV 身份验证)Java (CPV authentication)

  1. 为云解决方案提供商合作伙伴开发和部署提供相应许可所需的流程。Develop and deploy a process for Cloud Solution Provider partners to provide the appropriate consent. 有关详细信息和示例,请参阅合作伙伴同意For more information and an example, see the partner consent.

    重要

    不应存储来自云解决方案提供商合作伙伴的用户凭据。User credentials from a Cloud Solution Provider partner should not be stored. 应该存储通过合作伙伴许可过程获得的刷新令牌,并使用该令牌来请求与任何 Microsoft API 交互所需的访问令牌。The refresh token obtained through the partner consent process should be stored and used to request access tokens for interacting with any Microsoft API.

  2. 使用以下命令克隆 Partner-Center-Java-Samples 存储库Clone the Partner-Center-Java-Samples repository using the following command

    git clone https://github.com/Microsoft/Partner-Center-Java-Samples.git
    
  3. 打开在 Partner-Center-Java-Samples\secure-app-model\keyvault 目录中找到的 cpvsample 项目。Open the cpvsample project found in the Partner-Center-Java-Samples\secure-app-model\keyvault directory.

  4. 更新在 application.properties 文件中找到的应用程序设置。Update the application settings found in the application.properties file.

    azuread.authority=https://login.microsoftonline.com
    keyvault.baseurl=
    keyvault.clientId=
    keyvault.clientSecret=
    partnercenter.accountId=
    partnercenter.clientId=
    partnercenter.clientSecret=
    partnercenter.displayName=
    

    partnercenter.displayName 的值应该是商城应用程序的显示名称。The value for the partnercenter.displayName should be the display name of your marketplace application.

  5. 为在 Program.java 文件中发现的 partnerIdcustomerId 变量设置适当的值。Set the appropriate values for the partnerId and customerId variables found in the Program.java file.

    partnerId = "SPECIFY-THE-PARTNER-TENANT-ID-HERE";
    customerId = "SPECIFY-THE-CUSTOMER-TENANT-ID-HERE";
    
  6. 运行此示例项目时,它会获取指定合作伙伴的刷新令牌。When you run this sample project, it obtains the refresh token for the specified partner. 然后,它会请求一个代表合作伙伴访问合作伙伴中心的访问令牌。Then, it requests an access token to access Partner Center on behalf of the partner. 它执行的下一个任务是删除和创建授予客户租户的权限。The next task it performs is the deletion and creation of permission grants into the customer tenant. 由于控制面板供应商和客户之间不存在任何关系,因此需要使用合作伙伴中心 API 添加这些权限。Since there's no relationship between the control panel vendor and the customer, these permissions need to be added using the Partner Center API. 以下示例演示了如何授予权限。The following example shows how to grant the permissions.

    ApplicationGrant azureAppGrant = new ApplicationGrant();
    
    azureAppGrant.setEnterpriseApplication("797f4846-ba00-4fd7-ba43-dac1f8f63013");
    azureAppGrant.setScope("user_impersonation");
    
    ApplicationGrant graphAppGrant = new ApplicationGrant();
    
    graphAppGrant.setEnterpriseApplication("00000002-0000-0000-c000-000000000000");
    graphAppGrant.setScope("Domain.ReadWrite.All,User.ReadWrite.All,Directory.Read.All");
    
    ApplicationConsent consent = new ApplicationConsent();
    
    consent.setApplicationGrants(Arrays.asList(azureAppGrant, graphAppGrant));
    consent.setApplicationId(properties.getProperty(PropertyName.PARTNER_CENTER_CLIENT_ID));
    consent.setDisplayName(properties.getProperty(PropertyName.PARTNER_CENTER_DISPLAY_NAME));
    
    // Deletes the existing grant into the customer it is present.
    partnerOperations.getServiceClient().delete(
        partnerOperations,
        new TypeReference<ApplicationConsent>(){},
        MessageFormat.format(
            "customers/{0}/applicationconsents/{1}",
            customerId,
            properties.getProperty(PropertyName.PARTNER_CENTER_CLIENT_ID)));
    
    // Consent to the defined applications and the respective scopes.
    partnerOperations.getServiceClient().post(
        partnerOperations,
        new TypeReference<ApplicationConsent>(){},
        MessageFormat.format(
            "customers/{0}/applicationconsents",
            customerId),
        consent);
    

若要了解如何代表客户与 Azure 资源管理器和 Microsoft Graph 交互,请取消注释 RunAzureTask 和 RunGraphTask 函数调用。Uncomment the RunAzureTask and RunGraphTask function calls if you want to see how to interact with Azure Resource Manager and Microsoft Graph on behalf of the customer.